Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef.EZ trojan


  • This topic is locked This topic is locked
20 replies to this topic

#1 melikedi

melikedi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 26 July 2013 - 02:57 AM

Hello,

I made a facetious mistake and I ran an exe file downloaded via a torrent file. First I noticed that my Windows Firewall is not functioning, and it couldn't be opened manually. I downloaded a Microsft Fix found at http://support.microsoft.com/kb/2530126/en and finally succeeded in starting Windows Firewall.

Then I scanned the computer with Eset Nod 32. It cleaned some leaks. And I thought that that's it. Obviously I was wrong.

 

Nod 32 continuously gave alert about threats (Win32/Sirefef and Win32/Conedex variations) found.

Then I downloaded Microsoft Security Essentials and it found and cleaned some threats. (Before I run a scan with MSE I uninstalled Nod 32)

 

Then I ran an quick scan with Microsoft Safety Scanner,the result was clean.

 

Then I reinstall Nod 32, but I think I'm still infected.

Even though the alerts about Conedex are absent now, Nod 32 still gives alerts that there found Win32/Sirefef.EZ at C:\Windows\assembly\GAC\Desktop.ini 

, it is cleaned by deleting and I should restart my computer. However, after restarting computer Nod32 gives the same alerts.

 

Thanks in advance.

 

Here is my DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.25.2
Run by Melike at 10:26:59 on 2013-07-26
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.3327.880 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\esinter\Bin\eservutil.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\ProgramData\Quest Software\BMF\Repository\MySQL\bin\mysqld-max-nt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Quest Software\Toad for Data Analysts 2.6.1\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Oracle\product\11.1.0\db_1\bin\nmesrvc.exe
C:\Windows\system32\conhost.exe
c:\oracle\product\11.1.0\db_1\Bin\extjob.exe
C:\Oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe
c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE
C:\Oracle\product\11.1.0\db_1\bin\OraVSSW.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Oracle\product\11.1.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
C:\Oracle\product\11.1.0\db_1\jdk\bin\java.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Oracle\product\11.1.0\db_1\bin\emagent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Windows\system32\Wise\WiseSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Wise for Windows Installer\Service\WiseTaskSvc.exe
C:\Program Files\DevExpress\Report Server 12.2\DevExpress.ReportServer.v12.2.Worker.exe
C:\Program Files\Wise for Windows Installer\DBTaskExec.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\MyHeritage\Bin\FTBCheckUpdates.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Melike\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k ftpsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k WindowsMobile
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.tr/
uURLSearchHooks: {ba14329e-9550-4989-b3f2-9732e92d17cc} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {876d9f09-c6d6-4324-a2cc-04dd9a4de12f} - c:\program files\microsoft visual studio 11.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - c:\program files\internet explorer\iedvtool.dll
EB: Web Test Recorder 10.0: {3142c289-f319-47f5-a594-a827028714c9} -
uRun: [Facebook Update] "c:\users\melike\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Wondershare Helper Compact.exe] c:\program files\common files\wondershare\wondershare helper compact\WSHelper.exe
mRun: [BrowserPlugInHelper] c:\program files\wondershare\video converter ultimate\BrowserPlugInHelper.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [MSC] "c:\program files\microsoft security client\mssecex.exe" -hide -runkey
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\users\melike\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\melike\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\melike\appdata\roaming\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\program files\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\users\melike\appdata\roaming\micros~1\windows\startm~1\programs\startup\myasup~1.lnk - c:\depo\myacenter dökümanlar\myasupportnet\MyaSupportNet.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} - hxxps://vpn.ora.com.tr//SNX/CSHELL/extender.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{216AEC82-E66B-419A-9B45-C5314D003858} : DHCPNameServer = 192.168.1.1
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\program files\quest software\toad for oracle 10.5\RNetPin.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= HookDLL.DLL
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2013-2-14 171680]
R2 ADExchange;ArcSoft Exchange Service;c:\program files\common files\arcsoft\esinter\bin\eservutil.exe [2011-10-26 37280]
R2 BMFMySQL;BMFMySQL;c:\programdata\quest software\bmf\repository\mysql\bin\mysqld-max-nt.exe [2005-10-22 4431872]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2011-6-2 355504]
R2 DB2MGMTSVC_TACOM26;DB2 Management Service (TACOM26);c:\program files\quest software\toad for data analysts 2.6.1\sqllib\bin\db2mgmtsvc.exe [2009-12-17 37736]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2013-3-21 1341664]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2013-1-10 105760]
R2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe -k ftpsvc [2009-7-14 20992]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2013-6-28 1440080]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-1-31 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-5-1 47640]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
R2 OracleDBConsoleMYASOFT;OracleDBConsoleMYASOFT;c:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe [2011-5-16 25600]
R2 OracleJobSchedulerMYASOFT;OracleJobSchedulerMYASOFT;c:\oracle\product\11.1.0\db_1\bin\extjob.exe myasoft --> c:\oracle\product\11.1.0\db_1\bin\extjob.exe MYASOFT [?]
R2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\oracle\product\11.1.0\db_1\bin\tnslsnr  --> c:\oracle\product\11.1.0\db_1\bin\TNSLSNR  [?]
R2 OracleServiceMYASOFT;OracleServiceMYASOFT;c:\oracle\product\11.1.0\db_1\bin\oracle.exe myasoft --> c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE MYASOFT [?]
R2 OracleVssWriterMYASOFT;Oracle MYASOFT VSS Writer Service;c:\oracle\product\11.1.0\db_1\bin\oravssw.exe myasoft --> c:\oracle\product\11.1.0\db_1\bin\OraVSSW.exe MYASOFT [?]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2012-3-23 87040]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1113448]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-7-12 3289472]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2013-1-18 383264]
R2 TeamViewer8;TeamViewer 8;c:\program files\teamviewer\version8\TeamViewer_Service.exe [2013-1-31 3467768]
R2 WiseSvc;WiseSvc;c:\windows\system32\wise\WiseSvc.exe [2005-12-13 77824]
R2 Worker;DevExpress Report Server v12.2 Worker;c:\program files\devexpress\report server 12.2\DevExpress.ReportServer.v12.2.Worker.exe [2012-12-27 52736]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-7-10 31256]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2011-6-2 129304]
S1 MpKsl417aaf61;MpKsl417aaf61;c:\windows\temp\MpKsl417aaf61.sys [2013-7-25 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 LOGO_TIGERPLUS_Service_6304_200131_2_12;LOGO_TIGERPLUS_Service 2.12.1.0 (6304-200131);c:\program files\logo\tiger plus\LOGO_TIGERPLUS_Service.exe [2013-1-29 10312832]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-3 162408]
S2 TaskScheduler;DevExpress Report Server v12.2 TaskScheduler;c:\program files\devexpress\report server 12.2\DevExpress.ReportServer.v12.2.TaskScheduler.exe [2012-12-27 42496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-3-29 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 107392]
S3 NisSrv;Microsoft Ağ İnceleme;c:\program files\microsoft security client\NisSrv.exe [2013-7-18 295376]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-2-21 14848]
S3 StorSvc;Depolama Hizmeti;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 Te.Service;Te.Service;c:\program files\windows kits\8.0\testing\runtimes\taef\Wex.Services.exe [2012-7-25 94208]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-2-21 49664]
S3 WatAdminSvc;Windows Etkinleştirme Teknolojileri Hizmeti;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-18 1343400]
S3 WMSVC;Web Yönetimi Hizmeti;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-14 9728]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2013-3-1 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
SUnknown nrpxgcyk;nrpxgcyk; [x]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .vbe: VBEFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
FileExt: .vbs: VBSFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
FileExt: .js: JSFile=c:\windows\system32\CScript.exe "%1" %* [default=Open2]
FileExt: .jse: JSEFile=c:\windows\system32\CScript.exe "%1" %* [default=Open2]
FileExt: .wsf: WSFFile="c:\windows\system32\CScript.exe" "%1" %* [default=Open2]
ShellExec: devenv.exe: open="devenv.exe" "%1"
ShellExec: devenv.exe.11.0: edit="c:\program files\microsoft visual studio 11.0\common7\ide\devenv.exe" /dde
ShellExec: devenv.exe.11.0: open="c:\program files\microsoft visual studio 11.0\common7\ide\devenv.exe" "%1"
.
=============== Created Last 30 ================
.
2013-07-26 06:53:26 -------- d-----w- c:\program files\ESET
2013-07-25 17:56:14 7143960 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bfb2a9d5-c6bf-44c9-ae6b-1f137844e3e7}\mpengine.dll
2013-07-25 16:45:59 -------- d-----w- c:\program files\Cobian Backup 11
2013-07-25 16:44:41 -------- d-----w- c:\program files\Microsoft Security Client
2013-07-24 06:18:25 -------- d-----w- c:\program files\x264 Video Codec
2013-07-23 19:10:57 7143960 ------w- c:\programdata\microsoft\windows defender\definition updates\{9b950ee3-d21f-426a-b412-6e85f0f68f01}\mpengine.dll
2013-07-22 13:08:04 -------- d-----w- c:\program files\AdamPosCoLtd
2013-07-22 11:53:23 -------- d-----w- C:\Myasoft 2.0
2013-07-20 04:37:14 606208 ----a-w- c:\windows\system32\HexUniRTFBox.ocx
2013-07-20 04:37:14 258352 ----a-w- c:\windows\system32\unicows.dll
2013-07-20 04:37:14 2029056 ----a-w- c:\windows\system32\PDFDocScout.DLL
2013-07-11 16:23:23 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-07-11 16:23:21 1620480 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-11 16:23:20 509440 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 16:23:20 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-07-11 16:23:16 988672 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2013-07-11 16:23:16 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2013-07-11 16:23:16 936448 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-07-11 16:23:15 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2013-07-11 16:23:09 680960 ----a-w- c:\program files\windows defender\MpSvc.dll
2013-07-11 16:23:09 392704 ----a-w- c:\program files\windows defender\MpClient.dll
2013-07-11 16:23:09 224768 ----a-w- c:\program files\windows defender\MpCommu.dll
2013-07-10 19:53:17 -------- d-----w- c:\program files\LogMeIn Hamachi
2013-07-08 13:11:43 -------- d--h--w- c:\program files\Zero G Registry
2013-07-08 12:26:04 -------- d--h--w- c:\users\melike\InstallAnywhere
2013-07-08 09:24:54 -------- d-----w- C:\Cognos
2013-07-08 07:55:05 -------- d-----w- c:\program files\common files\GSTools
2013-07-08 07:53:19 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2013-07-08 07:53:19 -------- d-----w- c:\windows\system32\vers
2013-07-08 07:44:48 -------- d-----w- c:\program files\ibm
2013-07-08 07:36:18 -------- d-----w- c:\users\melike\DownloadDirector
2013-07-08 06:58:00 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-03 12:01:06 928288 ----a-w- c:\windows\system32\FTBSaver.scr
.
==================== Find3M  ====================
.
2013-07-25 06:52:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-25 06:52:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-08 06:57:53 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-08 06:57:53 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-18 18:50:08 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 18:50:08 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-06-11 23:43:37 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-06-11 23:43:00 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-06-11 23:42:58 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-06-11 23:42:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-06-11 22:51:45 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-06-10 04:08:10 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-06-07 02:37:52 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-13 04:45:55 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 03:08:10 903168 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- c:\windows\system32\certenc.dll
2013-05-10 03:20:54 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-08 05:38:00 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06:47 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-06 05:06:47 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
.
============= FINISH: 10:29:30,83 ===============
 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 26 July 2013 - 03:38 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 26 July 2013 - 05:54 AM

Hi Marius,

My name is melike. Thanks for such a quick reply.

Since I don't expect someone will answer so quickly, I had started  a quick scan with Malwarebytes Anti-Malware (Trial) 1.75.0.1300, before I got reply from you. I hope this does not affect anything. When I get your response, I aborted the scan. It detected two problem before I abort, if you are interested I can send you it's log too.

 

When I ran mbar.exe it prompted for a message box saying that, "Registry value 'AppInit_Dlls' has been found, which may be caused by rootkit activity. Do you want to remove this value and restart the tool?". Since, in message box window there is a note warning that press "No" if you are not sure, I did so. I attached the message box's print screen.

 

And here is the log file from mbar:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.26.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16635
Melike :: MELIKE-PC [administrator]

26.07.2013 12:00:29
mbar-log-2013-07-26 (12-00-29).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 420764
Time elapsed: 1 hour(s), 32 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Trojan.Fake.MS) -> Data:  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
c:\Users\Melike\AppData\Local\Google\Desktop\Install\{fedefdcc-1dbb-1b1a-2a79-f69b29c933a6}\❤≸⋙\Ⱒ☠⍨\ﯹ๛

\{fedefdcc-1dbb-1b1a-2a79-f69b29c933a6}\GoogleUpdate.exe (Trojan.Fake.MS) -> No action taken.
c:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

My first language is not English either, so forgive me for my broken English.

 

Thank you.

 

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 26 July 2013 - 05:57 AM

Fix with Malwarebytes Anti-Rootkit

Run another scan with mbar.exe and click the CleanUp button. It will require a reboot.

When it has rebooted, run another scan with mbar.exe and click CleanUp again if necessary.

Send the mbar-log.txt along with an update on machine behavior.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 26 July 2013 - 09:51 AM

Hi Marius,
Mbar claned up detected threats. I reboot the computer, and rescanned. It results "No malware found".
Here is the log:
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org
 
Database version: v2013.07.26.03
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16635
Melike :: MELIKE-PC [administrator]
 
26.07.2013 15:51:31
mbar-log-2013-07-26 (15-51-31).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 420162
Time elapsed: 1 hour(s), 44 minute(s), 20 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
Since I rebooted, Nod32 does not give any alerts. However I think something that I cannot pinpoint happens in security settings since every running program asks for some permissions and Internet Explorer couldn't open web pages either it stops responding or it's extremely slow. I could not reply you from the infected computer, when I try to open the page it hanged and when I closed the explorer, a word file with the content of the page in it is opened. 
 

Edit: After I disable Portected Mode in settings of Internet Explorer everything seems ok.


Edited by melikedi, 26 July 2013 - 11:41 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 27 July 2013 - 07:32 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 27 July 2013 - 09:57 AM

Hi,

I ran combofix. After a while computer restarted and combofix windows appeared saying that log file is preparing. Then there emerges an error window with following message:

 

"Registry editor

RegRuns00 could not be exported. Error in writing file. it could be disk or file system error."

 

I'm translating error messages from turkish so these may not be the exact error.

 

Then I exit the error message, combofix windows disappeared and a log file opened. I closed the log file. 

 

Now, I coud not open internet explorer or notepad. It say :

 

"Invalid operation is attempted to a registry key marked to be deleted"

 

here is the combofix.txt:

 

ComboFix 13-07-25.02 - Melike 27.07.2013  16:31:08.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.3327.1556 [GMT 3:00]
Running from: c:\users\Melike\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\AMMYY
c:\programdata\AMMYY\hr
c:\programdata\AMMYY\hr3
c:\programdata\AMMYY\settings3.bin
c:\users\Melike\AppData\Local\assembly\tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\7D5E.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\7D5F.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\7D70.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\9C80.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\9C81.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\9C82.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\A2D8.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\A2D9.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\A2F9.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\BABF.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\BAC0.tmp
c:\users\Melike\AppData\Local\Microsoft\Windows\Temporary Internet Files\BAC1.tmp
c:\users\Melike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyaSupportNet.exe.LNK
c:\windows\Fonts\quest2.ttf
c:\windows\PFRO.log
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_TaskScheduler
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-27 to 2013-07-27  )))))))))))))))))))))))))))))))
.
.
2013-07-27 13:47 . 2013-07-27 13:47 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-07-27 13:47 . 2013-07-27 13:47 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-07-27 13:47 . 2013-07-27 13:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-27 13:47 . 2013-07-27 13:47 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-07-27 06:21 . 2013-07-15 00:34 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B6D2C65A-6DF4-45B1-9F99-1471A2BFDD66}\mpengine.dll
2013-07-26 17:17 . 2013-07-26 17:20 -------- d-----w- c:\windows\system32\MRT
2013-07-26 08:34 . 2013-07-26 08:34 -------- d-----w- c:\users\Melike\AppData\Roaming\Malwarebytes
2013-07-26 08:33 . 2013-07-26 08:33 -------- d-----w- c:\programdata\Malwarebytes
2013-07-26 08:33 . 2013-07-26 08:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-26 08:33 . 2013-04-04 11:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-26 06:53 . 2013-07-26 06:53 -------- d-----w- c:\program files\ESET
2013-07-25 17:56 . 2013-07-15 00:34 7143960 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-25 16:45 . 2013-07-25 16:46 -------- d-----w- c:\program files\Cobian Backup 11
2013-07-25 16:44 . 2013-07-25 17:53 -------- d-----w- c:\program files\Microsoft Security Client
2013-07-24 06:18 . 2013-07-24 06:18 -------- d-----w- c:\program files\x264 Video Codec
2013-07-22 13:08 . 2013-07-22 13:08 -------- d-----w- c:\program files\AdamPosCoLtd
2013-07-22 11:53 . 2013-07-22 11:53 -------- d-----w- C:\Myasoft 2.0
2013-07-20 04:37 . 2012-08-02 05:56 606208 ----a-w- c:\windows\system32\HexUniRTFBox.ocx
2013-07-20 04:37 . 2010-06-17 16:49 2029056 ----a-w- c:\windows\system32\PDFDocScout.DLL
2013-07-11 16:23 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-07-11 16:23 . 2013-06-04 04:53 509440 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 16:23 . 2013-04-10 05:03 936448 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 16:23 . 2013-04-10 05:03 988672 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 16:23 . 2013-04-10 05:03 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 16:23 . 2013-04-10 05:04 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 16:23 . 2013-05-27 04:57 680960 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-11 16:23 . 2013-05-27 04:57 392704 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-11 16:23 . 2013-05-27 04:57 224768 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-10 19:53 . 2013-07-10 19:53 -------- d-----w- c:\program files\LogMeIn Hamachi
2013-07-08 13:11 . 2013-07-08 13:16 -------- d--h--w- c:\program files\Zero G Registry
2013-07-08 12:26 . 2013-07-08 12:26 -------- d--h--w- c:\users\Melike\InstallAnywhere
2013-07-08 09:24 . 2013-07-12 10:43 -------- d-----w- C:\Cognos
2013-07-08 07:55 . 2013-07-08 07:55 -------- d-----w- c:\program files\Common Files\GSTools
2013-07-08 07:53 . 2009-05-12 14:21 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2013-07-08 07:44 . 2013-07-08 13:11 -------- d-----w- c:\program files\ibm
2013-07-08 07:36 . 2013-07-08 07:42 -------- d-----w- c:\users\Melike\DownloadDirector
2013-07-08 06:58 . 2013-07-08 06:58 -------- d-----w- c:\program files\Common Files\Java
2013-07-03 12:01 . 2013-07-03 12:01 928288 ----a-w- c:\windows\system32\FTBSaver.scr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-25 06:52 . 2012-04-18 19:21 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-25 06:52 . 2011-05-23 14:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-22 10:43 . 2012-04-19 14:53 2534880 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\1033\ResourceCache.dll
2013-07-08 06:57 . 2013-07-08 06:58 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-08 06:57 . 2012-05-18 21:26 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-08 06:57 . 2011-06-16 20:36 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-02 06:54 . 2013-07-23 19:10 7143960 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9B950EE3-D21F-426A-B412-6E85F0F68F01}\mpengine.dll
2013-06-18 18:50 . 2013-06-18 18:50 211560 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-06-18 18:50 . 2013-06-18 18:50 107392 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-06-11 23:43 . 2013-07-12 00:13 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-06-10 04:08 . 2011-05-16 08:25 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-06-05 03:05 . 2013-07-11 16:23 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-15 06:40 . 2012-02-15 07:22 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 04:45 . 2013-06-12 20:14 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 20:14 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 04:45 . 2013-06-12 20:14 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 03:08 . 2013-06-12 20:14 903168 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 20:14 43008 ----a-w- c:\windows\system32\certenc.dll
2013-05-10 03:20 . 2013-06-12 20:14 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-08 05:38 . 2013-06-12 20:14 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06 . 2013-06-12 20:14 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-06 05:06 . 2013-06-12 20:14 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-06 04:56 . 2013-07-11 16:23 1620480 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-05-01 00:03 . 2013-05-01 00:03 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-05-01 00:03 . 2013-05-01 00:03 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-05-01 00:03 . 2013-05-01 00:03 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-05-01 00:03 . 2013-05-01 00:03 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-05-01 00:03 . 2013-05-01 00:03 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-05-01 00:03 . 2013-05-01 00:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-05-01 00:03 . 2013-05-01 00:03 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-05-01 00:03 . 2013-05-01 00:03 361984 ----a-w- c:\windows\system32\html.iec
2013-05-01 00:03 . 2013-05-01 00:03 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-05-01 00:03 . 2013-05-01 00:03 158720 ----a-w- c:\windows\system32\msls31.dll
2013-05-01 00:03 . 2013-05-01 00:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-05-01 00:03 . 2013-05-01 00:03 138752 ----a-w- c:\windows\system32\wextract.exe
2013-05-01 00:03 . 2013-05-01 00:03 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-01 00:03 . 2013-05-01 00:03 12800 ----a-w- c:\windows\system32\mshta.exe
2013-05-01 00:03 . 2013-05-01 00:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-05-01 00:03 . 2013-05-01 00:03 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-01 00:03 . 2013-05-01 00:03 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1MediaIconsOverlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-07-24 06:18 225280 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-10-17 138096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19603048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
"Family Tree Builder Update"="c:\program files\MyHeritage\Bin\FTBCheckUpdates.exe" [2013-07-03 2528256]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-06-28 2255184]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-03-21 5078504]
.
c:\users\Melike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Melike\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-25 27776968]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-1-23 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 gxikneew;gxikneew;c:\windows\system32\drivers\gxikneew.sys [x]
R1 mkajsqtp;mkajsqtp;c:\windows\system32\drivers\mkajsqtp.sys [x]
R1 MpKsl417aaf61;MpKsl417aaf61;c:\windows\Temp\MpKsl417aaf61.sys [x]
R2 LOGO_TIGERPLUS_Service_6304_200131_2_12;LOGO_TIGERPLUS_Service 2.12.1.0 (6304-200131);c:\program files\LOGO\TIGER PLUS\LOGO_TIGERPLUS_Service.exe [2012-04-20 10312832]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-03 162408]
R2 Worker;DevExpress Report Server v12.2 Worker;c:\program files\DevExpress\Report Server 12.2\DevExpress.ReportServer.v12.2.Worker.exe [2012-12-27 52736]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-06-18 107392]
R3 NisSrv;Microsoft Ağ İnceleme;c:\program files\Microsoft Security Client\NisSrv.exe [2013-07-18 295376]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Te.Service;Te.Service;c:\program files\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-07-25 94208]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 WatAdminSvc;Windows Etkinleştirme Teknolojileri Hizmeti;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-18 1343400]
R3 WMSVC;Web Yönetimi Hizmeti;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 9728]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2013-03-01 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2013-02-14 171680]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2013-01-10 122240]
S2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2011-10-26 37280]
S2 BMFMySQL;BMFMySQL;c:\programdata\Quest Software\BMF\Repository\MySQL\bin\mysqld-max-nt.exe [2005-10-22 4431872]
S2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2011-06-02 355504]
S2 DB2MGMTSVC_TACOM26;DB2 Management Service (TACOM26);c:\program files\Quest Software\Toad for Data Analysts 2.6.1\SQLLIB\BIN\db2mgmtsvc.exe [2009-12-17 37736]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2013-03-21 1341664]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2013-01-10 105760]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2013-06-28 1440080]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2012-01-31 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2011-09-16 12856]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-09 218136]
S2 OracleDBConsoleMYASOFT;OracleDBConsoleMYASOFT;c:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe [2007-09-12 25600]
S2 OracleJobSchedulerMYASOFT;OracleJobSchedulerMYASOFT;c:\oracle\product\11.1.0\db_1\Bin\extjob.exe MYASOFT [x]
S2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR  [x]
S2 OracleServiceMYASOFT;OracleServiceMYASOFT;c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE MYASOFT [x]
S2 OracleVssWriterMYASOFT;Oracle MYASOFT VSS Writer Service;c:\oracle\product\11.1.0\db_1\bin\OraVSSW.exe MYASOFT [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 1113448]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-07-12 3289472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-14 3467768]
S2 WiseSvc;WiseSvc;c:\windows\system32\Wise\WiseSvc.exe [2005-12-13 77824]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-09 31256]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [2011-06-02 129304]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ftpsvc REG_MULTI_SZ   ftpsvc
iissvcs REG_MULTI_SZ   w3svc was
apphost REG_MULTI_SZ   apphostsvc
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 06:52]
.
2013-07-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2292262038-1394036280-3836162821-1000Core.job
- c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-17 17:04]
.
2013-07-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2292262038-1394036280-3836162821-1000UA.job
- c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-17 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Microsoft Excel'e &Ver - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} - hxxps://vpn.ora.com.tr//SNX/CSHELL/extender.cab
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
HKCU-Run-Google Update - (no file)
HKLM-Run-Wondershare Helper Compact.exe - c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
HKLM-Run-BrowserPlugInHelper - c:\program files\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
AddRemove-Picasa 3 - c:\program files\Google\Picasa3\Uninstall.exe
AddRemove-{0CD8A170-E470-11DB-3D6C-00D529464AE1} - c:\program files\Notation\Uninst_Notation Musician 2.6.3
.
.
Binary file temp00 matches
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5936)
c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\oracle\product\11.1.0\db_1\Bin\extjob.exe
c:\windows\system32\conhost.exe
c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe
c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE
c:\oracle\product\11.1.0\db_1\bin\OraVSSW.exe
c:\oracle\product\11.1.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
c:\oracle\product\11.1.0\db_1\jdk\bin\java.exe
c:\oracle\product\11.1.0\db_1\bin\emagent.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Wise for Windows Installer\Service\WiseTaskSvc.exe
c:\program files\Wise for Windows Installer\DBTaskExec.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\users\Melike\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2013-07-27  17:08:39 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-27 14:08
.
Pre-Run: 265.245.585.408 bayt boş
Post-Run: 272.619.888.640 bayt boş
.
- - End Of File - - 10D77DC06291F453EE7E8E21CEFF1802
A36C5E4F47E84449FF07ED3517B43A31
 

By the way I noticed that after reboot the file system protection feature in NOd32 is enabled, even though I set it to "disable for 4 hours".

 

Edit: I'm so sorry, you already mentioned about the error I get. Now I'm restarting computer.


Edited by melikedi, 27 July 2013 - 10:08 AM.


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 29 July 2013 - 12:35 AM

As told within my instructions for Combofix, simply reboot the computer to fix this issue.

 

 

Multiple Antivirus Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either ESET or MSE.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 29 July 2013 - 02:15 AM

Hi Marius,

I uninstall MSE. Now everything seems ok.

Thank you very much.



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 29 July 2013 - 06:37 AM

We´re not finished yet

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 29 July 2013 - 03:29 PM

Hi,

Here is the log of Combofix you asked for:

 

ComboFix 13-07-25.02 - Melike 29.07.2013  16:47:36.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1254.90.1055.18.3327.1486 [GMT 3:00]
Running from: c:\users\Melike\Desktop\ComboFix.exe
Command switches used :: c:\users\Melike\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET NOD32 Antivirus 6.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\gxikneew.sys"
"c:\windows\system32\drivers\mkajsqtp.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_gxikneew
-------\Service_mkajsqtp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-28 to 2013-07-29  )))))))))))))))))))))))))))))))
.
.
2013-07-29 14:01 . 2013-07-29 14:01 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-07-29 14:01 . 2013-07-29 14:01 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-07-29 14:01 . 2013-07-29 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-29 14:01 . 2013-07-29 14:01 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-07-29 08:28 . 2013-07-29 13:50 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9B950EE3-D21F-426A-B412-6E85F0F68F01}\offreg.dll
2013-07-29 08:09 . 2013-07-29 08:09 -------- d-----w- C:\kk
2013-07-26 17:17 . 2013-07-26 17:20 -------- d-----w- c:\windows\system32\MRT
2013-07-26 08:34 . 2013-07-26 08:34 -------- d-----w- c:\users\Melike\AppData\Roaming\Malwarebytes
2013-07-26 08:33 . 2013-07-26 08:33 -------- d-----w- c:\programdata\Malwarebytes
2013-07-26 06:53 . 2013-07-26 06:53 -------- d-----w- c:\program files\ESET
2013-07-25 16:45 . 2013-07-25 16:46 -------- d-----w- c:\program files\Cobian Backup 11
2013-07-23 19:10 . 2013-07-02 06:54 7143960 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9B950EE3-D21F-426A-B412-6E85F0F68F01}\mpengine.dll
2013-07-22 13:08 . 2013-07-22 13:08 -------- d-----w- c:\program files\AdamPosCoLtd
2013-07-22 11:53 . 2013-07-22 11:53 -------- d-----w- C:\Myasoft 2.0
2013-07-20 04:37 . 2004-12-07 08:11 258352 ----a-w- c:\windows\system32\unicows.dll
2013-07-11 16:23 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-07-11 16:23 . 2013-05-06 04:56 1620480 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-11 16:23 . 2013-06-05 03:05 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-07-11 16:23 . 2013-06-04 04:53 509440 ----a-w- c:\windows\system32\qedit.dll
2013-07-11 16:23 . 2013-04-10 05:03 936448 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2013-07-11 16:23 . 2013-04-10 05:03 988672 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2013-07-11 16:23 . 2013-04-10 05:03 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-07-11 16:23 . 2013-04-10 05:04 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2013-07-11 16:23 . 2013-05-27 04:57 680960 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-11 16:23 . 2013-05-27 04:57 392704 ----a-w- c:\program files\Windows Defender\MpClient.dll
2013-07-11 16:23 . 2013-05-27 04:57 224768 ----a-w- c:\program files\Windows Defender\MpCommu.dll
2013-07-10 19:53 . 2013-07-10 19:53 -------- d-----w- c:\program files\LogMeIn Hamachi
2013-07-08 13:11 . 2013-07-08 13:16 -------- d--h--w- c:\program files\Zero G Registry
2013-07-08 12:26 . 2013-07-08 12:26 -------- d--h--w- c:\users\Melike\InstallAnywhere
2013-07-08 09:24 . 2013-07-12 10:43 -------- d-----w- C:\Cognos
2013-07-08 07:55 . 2013-07-08 07:55 -------- d-----w- c:\program files\Common Files\GSTools
2013-07-08 07:53 . 2013-07-08 07:53 -------- d-----w- c:\windows\system32\vers
2013-07-08 07:53 . 2009-05-12 14:21 24576 ----a-w- c:\windows\system32\NTEventLogAppender.dll
2013-07-08 07:44 . 2013-07-08 13:11 -------- d-----w- c:\program files\ibm
2013-07-08 07:36 . 2013-07-08 07:42 -------- d-----w- c:\users\Melike\DownloadDirector
2013-07-08 06:58 . 2013-07-08 06:58 -------- d-----w- c:\program files\Common Files\Java
2013-07-08 06:58 . 2013-07-08 06:57 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-25 06:52 . 2012-04-18 19:21 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-25 06:52 . 2011-05-23 14:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-22 10:43 . 2012-04-19 14:53 2534880 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\1033\ResourceCache.dll
2013-07-08 06:57 . 2012-05-18 21:26 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-08 06:57 . 2011-06-16 20:36 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-10 04:08 . 2011-05-16 08:25 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-05-15 06:40 . 2012-02-15 07:22 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 04:45 . 2013-06-12 20:14 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 20:14 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 04:45 . 2013-06-12 20:14 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 03:08 . 2013-06-12 20:14 903168 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 20:14 43008 ----a-w- c:\windows\system32\certenc.dll
2013-05-10 03:20 . 2013-06-12 20:14 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-08 05:38 . 2013-06-12 20:14 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06 . 2013-06-12 20:14 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-06 05:06 . 2013-06-12 20:14 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-01 00:03 . 2013-05-01 00:03 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-05-01 00:03 . 2013-05-01 00:03 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-05-01 00:03 . 2013-05-01 00:03 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-05-01 00:03 . 2013-05-01 00:03 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-05-01 00:03 . 2013-05-01 00:03 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-05-01 00:03 . 2013-05-01 00:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-05-01 00:03 . 2013-05-01 00:03 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-05-01 00:03 . 2013-05-01 00:03 361984 ----a-w- c:\windows\system32\html.iec
2013-05-01 00:03 . 2013-05-01 00:03 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-05-01 00:03 . 2013-05-01 00:03 158720 ----a-w- c:\windows\system32\msls31.dll
2013-05-01 00:03 . 2013-05-01 00:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-05-01 00:03 . 2013-05-01 00:03 138752 ----a-w- c:\windows\system32\wextract.exe
2013-05-01 00:03 . 2013-05-01 00:03 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-01 00:03 . 2013-05-01 00:03 12800 ----a-w- c:\windows\system32\mshta.exe
2013-05-01 00:03 . 2013-05-01 00:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-05-01 00:03 . 2013-05-01 00:03 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-01 00:03 . 2013-05-01 00:03 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1MediaIconsOverlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-07-24 06:18 225280 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-10-17 138096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-03 19603048]
"Google Update"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 172568]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2013-06-28 2255184]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-03-21 5078504]
.
c:\users\Melike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Melike\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-25 27776968]
EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-1-23 1014112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R1 MpKsl417aaf61;MpKsl417aaf61;c:\windows\Temp\MpKsl417aaf61.sys [x]
R2 LOGO_TIGERPLUS_Service_6304_200131_2_12;LOGO_TIGERPLUS_Service 2.12.1.0 (6304-200131);c:\program files\LOGO\TIGER PLUS\LOGO_TIGERPLUS_Service.exe [2012-04-20 10312832]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-03 162408]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 Te.Service;Te.Service;c:\program files\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [2012-07-25 94208]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 WatAdminSvc;Windows Etkinleştirme Teknolojileri Hizmeti;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-18 1343400]
R3 WMSVC;Web Yönetimi Hizmeti;c:\windows\system32\inetsrv\wmsvc.exe [2009-07-14 9728]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2013-03-01 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2013-02-14 171680]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2013-01-10 122240]
S2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2011-10-26 37280]
S2 BMFMySQL;BMFMySQL;c:\programdata\Quest Software\BMF\Repository\MySQL\bin\mysqld-max-nt.exe [2005-10-22 4431872]
S2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2011-06-02 355504]
S2 DB2MGMTSVC_TACOM26;DB2 Management Service (TACOM26);c:\program files\Quest Software\Toad for Data Analysts 2.6.1\SQLLIB\BIN\db2mgmtsvc.exe [2009-12-17 37736]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2013-03-21 1341664]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2013-01-10 105760]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2013-06-28 1440080]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2012-01-31 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2011-09-16 12856]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-09 218136]
S2 OracleDBConsoleMYASOFT;OracleDBConsoleMYASOFT;c:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe [2007-09-12 25600]
S2 OracleJobSchedulerMYASOFT;OracleJobSchedulerMYASOFT;c:\oracle\product\11.1.0\db_1\Bin\extjob.exe MYASOFT [x]
S2 OracleOraDb11g_home1TNSListener;OracleOraDb11g_home1TNSListener;c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR  [x]
S2 OracleServiceMYASOFT;OracleServiceMYASOFT;c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE MYASOFT [x]
S2 OracleVssWriterMYASOFT;Oracle MYASOFT VSS Writer Service;c:\oracle\product\11.1.0\db_1\bin\OraVSSW.exe MYASOFT [x]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 1113448]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-07-12 3289472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-14 3467768]
S2 Worker;DevExpress Report Server v12.2 Worker;c:\program files\DevExpress\Report Server 12.2\DevExpress.ReportServer.v12.2.Worker.exe [2012-12-27 52736]
S3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2008-07-09 31256]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-01 139776]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [2011-06-02 129304]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ftpsvc REG_MULTI_SZ    ftpsvc
iissvcs REG_MULTI_SZ    w3svc was
apphost REG_MULTI_SZ    apphostsvc
WindowsMobile REG_MULTI_SZ    wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ    WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 06:52]
.
2013-07-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2292262038-1394036280-3836162821-1000Core.job
- c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-17 17:04]
.
2013-07-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2292262038-1394036280-3836162821-1000UA.job
- c:\users\Melike\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-17 17:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Microsoft Excel'e &Ver - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Sothink Flash Downloader For IE - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {414FB93D-DEDD-4FEF-AD7F-167992EBDB52} - hxxps://vpn.ora.com.tr//SNX/CSHELL/extender.cab
.
Binary file temp00 matches
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\OracleOraDb11g_home1TNSListener]
"ImagePath"="c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR "
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3368)
c:\users\Melike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\msmdsrv.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\oracle\product\11.1.0\db_1\Bin\extjob.exe
c:\windows\system32\conhost.exe
c:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe
c:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE
c:\oracle\product\11.1.0\db_1\bin\OraVSSW.exe
c:\oracle\product\11.1.0\db_1\perl\5.8.3\bin\MSWin32-x86-multi-thread\perl.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\oracle\product\11.1.0\db_1\jdk\bin\java.exe
c:\oracle\product\11.1.0\db_1\bin\emagent.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\users\Melike\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2013-07-29  22:56:41 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-29 19:56
.
Pre-Run: 269.556.310.016 bayt boş
Post-Run: 267.045.752.832 bayt boş
.
- - End Of File - - D3E0C2D3C4EB3D8D22E66A3D66A7F2E6
A36C5E4F47E84449FF07ED3517B43A31

 

 

 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 30 July 2013 - 03:03 AM

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 30 July 2013 - 12:56 PM

hi,

Malwarebytes Antimalware Log is :

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.30.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16635
Melike :: MELIKE-PC [administrator]

Protection: Disabled

30.07.2013 11:08:53
mbam-log-2013-07-30 (11-08-53).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 930750
Time elapsed: 3 hour(s), 50 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Melike\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

Files Detected: 1
C:\Users\Melike\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

(end)

 

And no threat found in ESET online scan.



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 31 July 2013 - 12:45 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 melikedi

melikedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 31 July 2013 - 02:23 AM

Hi,

Here is AdwCleaner Log:

 

# AdwCleaner v2.306 - Bu rapor 31/07/2013 tarihinde 09:47:49'te olusturuldu
# Son güncelleme 19/07/2013 tarihinde, Xplode tarafindan
# Isletim sistemi : Windows 7 Professional Service Pack 1 (32 bits)
# Kullanici : Melike - MELIKE-PC
# Mod : Normal
# Dosya konumu : C:\Users\Melike\Desktop\adwcleaner.exe
# Seçenek [Sil]

***** [Servisler] *****

***** [Dosyalar / Klasörler] *****

Dosya Désinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Developer Network\MSDN Library for Visual Studio 2008 - ENU.lnk
Dosya Désinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2008\Microsoft Visual Studio 2008 Documentation.lnk
Dosya Silindi : C:\Windows\system32\vers
Klasör Silindi : C:\Program Files\Babylon
Klasör Silindi : C:\Program Files\Common Files\Wondershare
Klasör Silindi : C:\Program Files\Wondershare
Klasör Silindi : C:\ProgramData\Babylon
Klasör Silindi : C:\Users\Melike\AppData\Local\Conduit
Klasör Silindi : C:\Users\Melike\AppData\Local\Wondershare
Klasör Silindi : C:\Users\Melike\AppData\LocalLow\BabylonToolbar
Klasör Silindi : C:\Users\Melike\AppData\LocalLow\Conduit
Klasör Silindi : C:\Users\Melike\AppData\Roaming\OpenCandy

***** [Registry] *****

Registry Key'i Silindi : HKCU\Software\APN PIP
Registry Key'i Silindi : HKCU\Software\Conduit
Registry Key'i Silindi : HKCU\Software\IGearSettings
Registry Key'i Silindi : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Registry Key'i Silindi : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Registry Key'i Silindi : HKLM\Software\Babylon
Registry Key'i Silindi : HKLM\Software\BabylonToolbar
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\Conduit.Engine
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\Prod.cap
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Registry Key'i Silindi : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Registry Key'i Silindi : HKLM\Software\Conduit
Registry Key'i Silindi : HKLM\SOFTWARE\Google\Chrome\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASAPI32
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\Babylon_RASMANCS
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASAPI32
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\BabylonTC_RASMANCS
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASAPI32
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASMANCS
Registry Key'i Silindi : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Registry Key'i Silindi : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Registry Key'i Silindi : HKLM\Software\PIP

***** [Browser'lar] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry temiz.

*************************

AdwCleaner[S1].txt - [5405 octets] - [31/07/2013 09:47:49]

########## EOF - C:\AdwCleaner[S1].txt - [5465 octets] ##########

 

Security check scan created a checkup.txt but it's empty.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users