Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.iemonster.b And Adware Zlob.pornadviser.ba


  • This topic is locked This topic is locked
27 replies to this topic

#1 ozgun

ozgun

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 18 February 2008 - 03:19 AM

hello i am new at his forum and i have problems with spyware.iemonster.b and adware zlob.pornadviser.ba
my internet explorer does not work properly and some desktop icons about porn sites appear. also windows keep saying things about these malware.
i am posting my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:58, on 18.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\ComboFix\nircmd.cfexe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\nnnkkll.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {4E07F085-85D8-4248-A27C-0D01F07D178A} - C:\WINDOWS\system32\vtutq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Hızlı Başlangıç.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: isodvrtg - C:\WINDOWS\SYSTEM32\isodvrtg.dll
O20 - Winlogon Notify: nnnkkll - C:\WINDOWS\SYSTEM32\nnnkkll.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 9095 bytes

Edited by ozgun, 18 February 2008 - 06:01 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 18 February 2008 - 09:11 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 18 February 2008 - 01:10 PM

i downloaded the software and did the scan
here is my report and HJT log



AntiVir PersonalEdition Classic
Report file date: 18 Şubat 2008 Pazartesi 19:20

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: OZGUN005

Version information:
BUILD.DAT : 270 15603 Bytes 19.09.2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23.08.2007 12:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16.08.2007 11:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14.08.2007 14:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21.08.2007 11:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 13:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13.09.2007 13:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 13.09.2007 13:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 13.09.2007 13:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 17.09.2007 16:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26.02.2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18.07.2007 06:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 03.08.2007 07:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 18.07.2007 06:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28.08.2007 11:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18.07.2007 06:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08.03.2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07.08.2007 11:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21.08.2007 11:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23.07.2007 08:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: G:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 18 Şubat 2008 Pazartesi 19:20

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'comHost.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'hprblog.exe' - '1' Module(s) have been scanned
Scan process 'hpqste08.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'ccApp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'nSvcIp.exe' - '1' Module(s) have been scanned
Scan process 'nSvcAppFlt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PSIService.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'nTuneService.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '0' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ccSvcHst.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!
Boot sector 'G:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '31' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Grisoft\AVG Antispyware 7.5\quarantine\fil489CEFE9.dat
[0] Archive type: GZ
--> fil489CEFE9
[DETECTION] Is the Trojan horse TR/Agent.aox
[INFO] The file was moved to '4825bece.qua'!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003370.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '47e9c21c.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003371.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '464691c5.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003385.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '47e9c21d.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003386.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '464691c6.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003388.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '47e9c21f.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003390.exe
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '47e9c21e.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003525.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '47e9c222.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003526.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '464691fb.qua'!
C:\System Volume Information\_restore{33264E28-388D-4B24-B3D4-8F5054B60F6A}\RP35\A0003755.exe
[DETECTION] Is the Trojan horse TR/Crypt.FSPM.Gen
[INFO] The file was moved to '47e9c229.qua'!
C:\WINDOWS\system32\winmqx32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '4827c41f.qua'!
C:\WINDOWS\system32\winosz32.dll
[DETECTION] Is the Trojan horse TR/Crypt.PEC2X.Gen
[INFO] The file was moved to '4827c420.qua'!
Begin scan in 'F:\'
F:\hiberfil.sys
[WARNING] The file could not be opened!
Begin scan in 'G:\' <My Book>


End of the scan: 18 Şubat 2008 Pazartesi 19:54
Used time: 34:29 min

The scan has been done completely.

15224 Scanning directories
305055 Files were scanned
12 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
12 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
305043 Files not concerned
2591 Archives were scanned
3 Warnings
257 Notes






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08:23, on 18.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\nnnkkll.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2281620C-F7B0-40FF-9AAD-004DF1EA07E4} - C:\WINDOWS\system32\vtutq.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O3 - Toolbar: Norton Araç Çubuğunu Göster - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-854245398-1644491937-839522115-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: isodvrtg - C:\WINDOWS\SYSTEM32\isodvrtg.dll
O20 - Winlogon Notify: nnnkkll - C:\WINDOWS\SYSTEM32\nnnkkll.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11044 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 18 February 2008 - 01:18 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 18 February 2008 - 02:39 PM

i follow the instructions on the website but it gets stuck after it says "scanning for infected files" for more than half an hour. i tried it 3 times. do you have an idea what the problem is?
here is my fresh HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\nnnkkll.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {14dd93d9-e013-0e88-91d4-d3c9f7a25588} - {88552a7f-9c3d-4d19-88e0-310e9d39dd41} - C:\WINDOWS\system32\scuatacy.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90338197-8C58-4AB7-9A61-93A371FDD8A9} - C:\WINDOWS\system32\vtutq.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O3 - Toolbar: Norton Araç Çubuğunu Göster - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: isodvrtg - C:\WINDOWS\SYSTEM32\isodvrtg.dll
O20 - Winlogon Notify: nnnkkll - C:\WINDOWS\SYSTEM32\nnnkkll.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10589 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 18 February 2008 - 02:50 PM

Hi,

Yes, I have an idea what the problem is - and that is the fact that you have two antivirus installed in a meanwhile now.
In your first log, you didn't have an Antivirus installed, so I asked you to install Avira, and now I suddenly see you have installed Norton/symantec on top.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then try Combofix again, but disable your Antivirus first.
If that didn't make any difference, try it from Windows Safe mode.

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Sidenote, I see you have the Nvidia Firewall (NetworkAccessManager) installed. I want to make you aware of the fact that this one may cause a lot of problems as this is a buggy firewall and is incompatible with a lot of software and hardware.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 18 February 2008 - 03:15 PM

i did everything you said and combofix worked in the safe mod but when it reboot it stucked just before it creates the log file and here is my fresh HJT log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12, on 2008-02-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: isodvrtg - C:\WINDOWS\SYSTEM32\isodvrtg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9281 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 18 February 2008 - 03:32 PM

I am pretty sure it's your Norton interfering here..

Anyway, we'll try it again afterwards. We need to remove another nasty infection first as well..

Please disable your Norton, as it may interfere.

Then, Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 19 February 2008 - 03:08 AM

here is my log file but ican't boot my computer unless it is in safe mode. when i boot it in normal mode it suddenly restarts.

HAXFIX logfile - by Marckie

version 5.00.2
2008-02-19 9:55:29.93
running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
isodvrtg

checking for services
isodvstg

checking iexplore.exe
iexplore.exe is not infected


--- Checking for other Goldun and Haxdoor files ---
C:\WINDOWS\system32\hrpdcf.bin
C:\WINDOWS\system32\kl80.bin


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 09:55:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00046181e642]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00046181e642]

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 19 February 2008 - 07:16 AM

Hi,

It's because your system is so severly infected that you have so many problems... and also because - as I already explained previously, your Nvidia Firewall has a lot of incompatibility issues with other software installed. In a meanwhile you installed Norton/symantec as well, so that may also explain why you're having problems with normal mode.

Doubleclick haxfix.exe present on your desktop.
Close all other open windows since this step requires a reboot.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 19 February 2008 - 12:07 PM

hi i did eveything you said and my pc works fine in normal mode. i think i don't have any problems but maybe you can check that too. i really thank you for your help and i am sending the haxfix log and the fresh HJT log

HAXFIX logfile - by Marckie

version 5.00.2
2008-02-19 18:53:26.57

--- Auto Haxdoorfix ---


Haxdoorfix Part 1

no infections found


Haxdoorfix Part 2

searching for notifykeys
no notifykeys found

searching for services
no services found

searching for safeboot services
no safeboot services found


--- Goldunfix ---


searching for other goldun- and haxdoorfiles:
C:\WINDOWS\system32\hrpdcf.bin
C:\WINDOWS\system32\kl80.bin

checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys
no SSODLkeys found

searching for notifykeys
isodvrtg

searching for services
isodvstg

deleting service isodvstg
[SWSC] DeleteService SUCCESS


--- Registrysettings ---

not necessary


.....rebooting the computer.....


--- searching for ssodlkeys ---

not necessary


--- searching for notifykeys ---

notifykey isodvrtg not found


--- searching for services ---

service isodvstg not found


--- searching for safeboot services ---

not necessary


--- searching for files ---

C:\WINDOWS\system32\hrpdcf.bin found
deleting C:\WINDOWS\system32\hrpdcf.bin
C:\WINDOWS\system32\hrpdcf.bin has been deleted

C:\WINDOWS\system32\kl80.bin found
deleting C:\WINDOWS\system32\kl80.bin
C:\WINDOWS\system32\kl80.bin has been deleted

C:\WINDOWS\system32\isodvrtg.dll found
deleting C:\WINDOWS\system32\isodvrtg.dll
C:\WINDOWS\system32\isodvrtg.dll has been deleted

C:\WINDOWS\system32\isodvstg.sys found
deleting C:\WINDOWS\system32\isodvstg.sys
C:\WINDOWS\system32\isodvstg.sys has been deleted


--- searching for other files in the system32 folder ---

no other files found in the system32 folder


--- searching for other files in windows folder ---

no other files found in the windows folder


--- searching for a3d files ---

no a3d files found


--- checking registry settings ---

not necessary


--- Catchme logfile ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 18:54:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{d6c50674-72c1-11d2-9755-0000f8004788}\##?#SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}\#SAD4\Device Parameters]
"FriendlyName"="Realtek HD Audio output"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00046181e642]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00046181e642]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001

scanning hidden files ...

C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\wuredir.cab.bak 10040 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1



Finished




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58, on 2008-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9242 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 19 February 2008 - 12:12 PM

Hi,

Even though you don't have any problems anymore, I am sure that there are still a lot of leftovers present.
That's why I want you to run Combofix once again, because I really need that log.

If it still won't run in normal mode, try safe mode again. This time the log should be created since it won't need a reboot anymore. (normally)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 19 February 2008 - 12:23 PM

hi
i could run the combofix in normal mode without problems and here is my log


ComboFix 08-02-18.1 - Ozgun KARAKULLUKCU 2008-02-19 19:19:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1475 [GMT 2:00]
Running from: C:\Documents and Settings\Ozgun KARAKULLUKCU\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\akkaocyw.dll
C:\WINDOWS\system32\cbxxxya.dll
C:\WINDOWS\system32\hrpdcf.bin . . . . failed to delete
C:\WINDOWS\system32\kl80.bin
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkkll.dll
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\scuatacy.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\wycoakka.ini
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTLOAD




((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-19 19:14 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-19 19:14 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-19 19:14 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-19 19:04 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-02-19 19:04 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-02-19 18:51 . 2008-02-18 22:42 449,350 --a------ C:\HaxFix.exe
2008-02-18 19:18 . 2008-02-18 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-18 18:57 . 2008-02-18 18:57 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Symantec
2008-02-18 18:14 . 2008-02-18 18:17 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-18 18:02 . 2008-02-19 19:15 <DIR> d-------- C:\Program Files\Norton 360
2008-02-18 18:02 . 2008-02-19 19:02 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-18 18:02 . 2008-02-19 19:02 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-18 18:02 . 2008-02-19 19:02 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-18 18:02 . 2008-02-19 19:02 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-18 18:01 . 2008-02-19 19:02 <DIR> d-------- C:\Program Files\Symantec
2008-02-18 18:01 . 2008-02-19 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-18 18:00 . 2008-02-19 19:18 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-18 12:22 . 2008-02-18 12:22 <DIR> d--h----- C:\Documents and Settings\Ozgun KARAKULLUKCU\.TemporaryItems
2008-02-18 10:00 . 2008-02-18 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 09:53 . 2008-02-18 09:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> dr------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> dr------- C:\Documents and Settings\Administrator\Belgelerim
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-18 09:52 . 2004-08-04 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-17 23:34 . 2008-02-19 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 22:46 . 2008-02-17 22:46 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Grisoft
2008-02-17 22:46 . 2008-02-17 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-17 22:46 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 09:52 . 2008-02-17 09:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-17 09:46 . 2008-02-17 10:15 <DIR> d-------- C:\SDFix
2008-02-16 23:58 . 2008-02-16 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-02-16 23:33 . 2008-02-16 23:38 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl
2008-02-16 23:20 . 2008-02-17 03:00 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware
2008-02-16 23:09 . 2008-02-16 23:09 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Talkback
2008-02-16 23:09 . 2008-02-16 23:09 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-02-16 23:09 . 2008-02-16 23:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-16 23:08 . 2008-02-16 23:08 3,738 --a------ C:\WINDOWS\mozver.dat
2008-02-16 22:00 . 2008-02-16 22:00 0 --a------ C:\WINDOWS\system32\sex2.ico.tmp
2008-02-16 22:00 . 2008-02-16 22:00 0 --a------ C:\WINDOWS\system32\sex1.ico.tmp
2008-02-16 21:55 . 2008-02-16 21:55 167,936 --a------ C:\WINDOWS\system32\drivers\Kiqy70.sys
2008-02-16 21:55 . 2008-02-16 21:55 151,552 --a------ C:\xjoukm.exe~
2008-02-16 21:55 . 2008-02-16 21:55 0 --a------ C:\1618426808
2008-02-16 21:52 . 2008-02-16 21:52 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-02-16 21:52 . 2008-02-16 21:52 <DIR> d-------- C:\Program Files\Futuremark
2008-02-16 21:52 . 1999-10-21 09:12 20,400 --------- C:\WINDOWS\system32\drivers\Entech.sys
2008-02-16 21:52 . 2001-11-19 18:05 3,972 --------- C:\WINDOWS\system32\drivers\PciBus.sys
2008-02-16 20:13 . 2008-02-16 20:13 <DIR> dr-h----- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\SecuROM
2008-02-16 20:13 . 2008-02-16 20:13 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-16 20:03 . 2008-02-16 20:03 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-02-16 20:03 . 2008-02-16 20:03 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-02-16 20:02 . 2008-02-19 19:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 18:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-16 18:47 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-16 15:27 . 2008-02-16 15:27 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\vlc
2008-02-16 14:37 . 2008-02-16 14:37 <DIR> d-------- C:\Program Files\JPN GaMeS
2008-02-16 14:13 . 2008-02-16 14:13 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-02-16 14:13 . 2008-02-16 14:13 <DIR> d-------- C:\Program Files\San Andreas Mod Installer
2008-02-16 13:29 . 2008-02-16 13:29 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-16 13:05 . 2008-02-16 13:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-16 12:59 . 2007-01-19 11:46 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-02-16 12:59 . 2007-01-19 11:46 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-02-16 12:58 . 2005-10-21 19:52 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-02-16 12:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-16 12:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-16 12:56 . 2008-02-16 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Program Files\Common Files\HP
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-16 12:53 . 2008-02-16 12:53 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-16 12:51 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-16 12:51 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-02-16 12:51 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-02-16 12:51 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-02-16 12:51 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-02-16 12:51 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-02-16 12:51 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-02-16 12:50 . 2008-02-16 12:59 <DIR> d-------- C:\Program Files\HP
2008-02-16 12:50 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-16 12:50 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-16 12:46 . 2008-02-16 12:59 112,713 --a------ C:\WINDOWS\hpoins07.dat
2008-02-16 12:46 . 2005-05-24 10:22 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-02-16 12:45 . 2008-02-18 09:50 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\HP
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\iTunes
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\iPod
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\Bonjour
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Apple Computer
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-16 12:38 . 2008-02-16 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-16 12:38 . 2008-02-19 19:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 12:38 . 2008-02-16 12:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 12:35 . 2008-02-16 19:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-16 12:34 . 2008-02-16 12:34 <DIR> d-------- C:\Program Files\LimeWire
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d-------- C:\Program Files\QuickPar
2008-02-16 12:17 . 2008-02-16 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-16 10:42 . 2008-02-16 10:42 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-16 10:41 . 2008-02-16 10:41 <DIR> d-------- C:\Program Files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 11:30 8523776]
"nwiz"="nwiz.exe" [2007-11-06 11:30 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-06 11:30 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 17:54 363008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^HP Image Zone Hızlı Başlangıç.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\HP Image Zone Hızlı Başlangıç.lnk
backup=C:\WINDOWS\pss\HP Image Zone Hızlı Başlangıç.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 11:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2008-02-16 00:45 190024 C:\Program Files\MessengerPlus! 3\MsgPlus.exe

R0 Si3531;SiI-3531 SATA Controller;C:\WINDOWS\system32\DRIVERS\Si3531.sys [2007-06-01 18:29]
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 02:00]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 21:31:07 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
"2008-02-16 10:38:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 11:09:29 C:\WINDOWS\Tasks\WebReg Officejet 5600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 19:20:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 19:20:57
ComboFix-quarantined-files.txt 2008-02-19 17:20:56
.
2008-02-15 20:36:21 --- E O F ---

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:21 PM

Posted 19 February 2008 - 01:09 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\1618426808
C:\xjoukm.exe~
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex1.ico.tmp
Folder::
C:\Program Files\AntiSpywareApp
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\drivers\Kiqy70.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ozgun

ozgun
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 19 February 2008 - 01:53 PM

here are the report from the website, Combofix and fresh HJT log


File Ldu44.sys received on 02.16.2008 19:28:29 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.16.10 2008.02.15 -
AntiVir 7.6.0.67 2008.02.15 -
Authentium 4.93.8 2008.02.15 -
Avast 4.7.1098.0 2008.02.15 -
AVG 7.5.0.516 2008.02.16 -
BitDefender 7.2 2008.02.16 -
CAT-QuickHeal None 2008.02.16 -
ClamAV 0.92.1 2008.02.16 -
DrWeb 4.44.0.09170 2008.02.16 -
eSafe 7.0.15.0 2008.02.14 -
eTrust-Vet 31.3.5541 2008.02.15 -
Ewido 4.0 2008.02.16 -
FileAdvisor 1 2008.02.16 -
Fortinet 3.14.0.0 2008.02.16 -
F-Prot 4.4.2.54 2008.02.15 -
F-Secure 6.70.13260.0 2008.02.15 -
Ikarus T3.1.1.20 2008.02.16 -
Kaspersky 7.0.0.125 2008.02.16 -
McAfee 5231 2008.02.15 -
Microsoft 1.3204 2008.02.16 -
NOD32v2 2880 2008.02.15 -
Norman 5.80.02 2008.02.15 -
Panda 9.0.0.4 2008.02.16 -
Prevx1 V2 2008.02.16 KAVKOP:Trojan-A
Rising 20.31.50.00 2008.02.16 -
Sophos 4.26.0 2008.02.16 -
Sunbelt 2.2.907.0 2008.02.16 -
Symantec 10 2008.02.16 -
TheHacker 6.2.9.222 2008.02.16 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.15 -
Webwasher-Gateway 6.6.2 2008.02.15 -
Additional information
File size: 167936 bytes
MD5: a6b0e6f37798a50064fb178cb7fa062e
SHA1: df6fe36685039c641b851bdf00e61d3dc2f62b23
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...1810800CA64F383






ComboFix 08-02-18.1 - Ozgun KARAKULLUKCU 2008-02-19 20:37:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1466 [GMT 2:00]
Running from: C:\Documents and Settings\Ozgun KARAKULLUKCU\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ozgun KARAKULLUKCU\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\1618426808
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\xjoukm.exe~
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1618426808
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 17 - 10_24_23 PM_093.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 17 - 10_37_12 PM_375.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 17 - 10_38_03 PM_750.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 17 - 11_26_45 PM_937.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 17 - 11_31_07 PM_250.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Log\2008 Feb 18 - 12_02_12 AM_062.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\rs.dat
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\AntiSpyware\Settings\ScanResults.pie
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_45 PM_625.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_47 PM_625.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_47 PM_765.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_49 PM_359.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_49 PM_484.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_56 PM_937.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_33_57 PM_062.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_38_05 PM_437.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_43_02 PM_281.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 16 - 11_43_19 PM_593.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 09_25_01 AM_390.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 10_00_00 AM_078.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 10_02_50 AM_953.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 10_15_44 AM_875.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 10_24_23 PM_328.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 10_25_32 PM_890.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 12_03_56 AM_937.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 12_25_53 AM_781.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Log\2008 Feb 17 - 12_43_16 AM_890.log
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Settings\CustomScan.stg
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Settings\IgnoreList.stg
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Settings\ScanInfo.stg
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Settings\SelectedFolders.stg
C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\PrivacyControl\Settings\Settings.stg
C:\WINDOWS\system32\sex1.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job
C:\xjoukm.exe~

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-19 19:14 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-19 19:14 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-19 19:14 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-19 19:04 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DL1
2008-02-19 19:04 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DL1
2008-02-19 18:51 . 2008-02-18 22:42 449,350 --a------ C:\HaxFix.exe
2008-02-18 19:18 . 2008-02-18 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-18 18:57 . 2008-02-18 18:57 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Symantec
2008-02-18 18:14 . 2008-02-18 18:17 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-18 18:02 . 2008-02-19 19:15 <DIR> d-------- C:\Program Files\Norton 360
2008-02-18 18:02 . 2008-02-19 19:02 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-18 18:02 . 2008-02-19 19:02 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-18 18:02 . 2008-02-19 19:02 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-18 18:02 . 2008-02-19 19:02 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-18 18:01 . 2008-02-19 19:02 <DIR> d-------- C:\Program Files\Symantec
2008-02-18 18:01 . 2008-02-19 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-18 18:00 . 2008-02-19 20:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-18 12:22 . 2008-02-18 12:22 <DIR> d--h----- C:\Documents and Settings\Ozgun KARAKULLUKCU\.TemporaryItems
2008-02-18 10:00 . 2008-02-18 10:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 09:53 . 2008-02-18 09:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> dr------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> dr------- C:\Documents and Settings\Administrator\Belgelerim
2008-02-18 09:52 . 2008-02-18 09:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-18 09:52 . 2004-08-04 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-17 23:34 . 2008-02-19 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-17 22:46 . 2008-02-17 22:46 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Grisoft
2008-02-17 22:46 . 2008-02-17 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-17 22:46 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-17 09:52 . 2008-02-17 09:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-17 09:46 . 2008-02-17 10:15 <DIR> d-------- C:\SDFix
2008-02-16 23:58 . 2008-02-16 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-02-16 23:09 . 2008-02-16 23:09 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Talkback
2008-02-16 23:09 . 2008-02-16 23:09 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2008-02-16 23:09 . 2008-02-16 23:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-16 23:08 . 2008-02-16 23:08 3,738 --a------ C:\WINDOWS\mozver.dat
2008-02-16 21:55 . 2008-02-16 21:55 167,936 --a------ C:\WINDOWS\system32\drivers\Kiqy70.sys
2008-02-16 21:52 . 2008-02-16 21:52 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-02-16 21:52 . 2008-02-16 21:52 <DIR> d-------- C:\Program Files\Futuremark
2008-02-16 21:52 . 1999-10-21 09:12 20,400 --------- C:\WINDOWS\system32\drivers\Entech.sys
2008-02-16 21:52 . 2001-11-19 18:05 3,972 --------- C:\WINDOWS\system32\drivers\PciBus.sys
2008-02-16 20:13 . 2008-02-16 20:13 <DIR> dr-h----- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\SecuROM
2008-02-16 20:13 . 2008-02-16 20:13 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-16 20:03 . 2008-02-16 20:03 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-02-16 20:03 . 2008-02-16 20:03 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-02-16 20:02 . 2008-02-19 19:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-16 18:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-02-16 18:47 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-02-16 15:27 . 2008-02-16 15:27 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\vlc
2008-02-16 14:37 . 2008-02-16 14:37 <DIR> d-------- C:\Program Files\JPN GaMeS
2008-02-16 14:13 . 2008-02-16 14:13 <DIR> d-------- C:\WINDOWS\San Andreas Mod Installer
2008-02-16 14:13 . 2008-02-16 14:13 <DIR> d-------- C:\Program Files\San Andreas Mod Installer
2008-02-16 13:29 . 2008-02-16 13:29 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-16 13:05 . 2008-02-16 13:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-16 12:59 . 2007-01-19 11:46 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-02-16 12:59 . 2007-01-19 11:46 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-02-16 12:58 . 2005-10-21 19:52 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-02-16 12:58 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-16 12:58 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-16 12:56 . 2008-02-16 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Program Files\Common Files\HP
2008-02-16 12:55 . 2008-02-16 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-02-16 12:53 . 2008-02-16 12:53 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-16 12:52 . 2008-02-16 12:52 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-16 12:51 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-16 12:51 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-02-16 12:51 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-02-16 12:51 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-02-16 12:51 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-02-16 12:51 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-02-16 12:51 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-02-16 12:50 . 2008-02-16 12:59 <DIR> d-------- C:\Program Files\HP
2008-02-16 12:50 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-16 12:50 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-16 12:46 . 2008-02-16 12:59 112,713 --a------ C:\WINDOWS\hpoins07.dat
2008-02-16 12:46 . 2005-05-24 10:22 21,124 --------- C:\WINDOWS\hpomdl07.dat
2008-02-16 12:45 . 2008-02-18 09:50 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\HP
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\iTunes
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\iPod
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Program Files\Bonjour
2008-02-16 12:39 . 2008-02-16 12:39 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\Apple Computer
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\QuickTime
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-16 12:38 . 2008-02-16 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-16 12:38 . 2008-02-16 12:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-16 12:38 . 2008-02-19 19:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-16 12:38 . 2008-02-16 12:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-16 12:35 . 2008-02-16 19:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-02-16 12:34 . 2008-02-16 12:34 <DIR> d-------- C:\Program Files\LimeWire
2008-02-16 12:20 . 2008-02-16 12:20 <DIR> d-------- C:\Program Files\QuickPar
2008-02-16 12:17 . 2008-02-16 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-02-16 10:42 . 2008-02-16 10:42 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-16 10:41 . 2008-02-16 10:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-16 10:31 . 2008-02-18 20:18 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-02-16 00:45 . 2008-02-16 00:45 <DIR> d-------- C:\Program Files\MessengerPlus! 3
2008-02-16 00:43 . 2008-02-16 00:43 <DIR> d-------- C:\Program Files\UseNeXT
2008-02-16 00:43 . 2008-02-16 00:43 <DIR> d-------- C:\Program Files\BitComet
2008-02-16 00:43 . 2008-02-16 19:12 <DIR> d-------- C:\Documents and Settings\Ozgun KARAKULLUKCU\Application Data\UseNeXT
2008-02-16 00:42 . 2008-02-16 00:42 <DIR> d-------- C:\Program Files\IrfanView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2005-05-11 21:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 11:30 8523776]
"nwiz"="nwiz.exe" [2007-11-06 11:30 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-06 11:30 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 17:54 363008]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^HP Image Zone Hızlı Başlangıç.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\HP Image Zone Hızlı Başlangıç.lnk
backup=C:\WINDOWS\pss\HP Image Zone Hızlı Başlangıç.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 11:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2008-02-16 00:45 190024 C:\Program Files\MessengerPlus! 3\MsgPlus.exe

R0 Si3531;SiI-3531 SATA Controller;C:\WINDOWS\system32\DRIVERS\Si3531.sys [2007-06-01 18:29]
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 02:00]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 10:38:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 11:09:29 C:\WINDOWS\Tasks\WebReg Officejet 5600 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 20:39:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-19 20:39:26
ComboFix-quarantined-files.txt 2008-02-19 18:39:24
ComboFix2.txt 2008-02-19 17:20:58
.
2008-02-15 20:36:21 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:15, on 19.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ipconfig.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Araştır - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203054148203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1203150885843
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8857 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users