Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Had some suspects and got something I think [RESOLVED]


  • This topic is locked This topic is locked

#1
Lazures

Lazures

    Member

  • Member
  • PipPip
  • 52 posts
Hi firstly.I appreciate any help comes from anyone.

Well my computer was running slow and I had some suspects of it.I downloaded a MP3 file that had a Trojan Downloader Wimad.E but I didnt opened it
However,AVG didnt come up with a threat screen.Only when I scanned it with my own hands,Avg showed that it was a Trojan.I clicked to heal that file but it got deleted.And lately my computer is running slower.I want to explain that my CPU is not good but my RAM is fine.

Whatever here is my HJT Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:06:06, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Image-Line\FL Studio 7\FL.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5262 bytes





Ah by the way I didnt restart my computer after I got that warning.

Edited by Lazures, 15 March 2008 - 05:08 PM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Lazures

welcome to geekstogo :)

nothing really jumps out from the logs, so we will do a deeper scan.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

andrewuk
  • 0

#3
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
I did the scan and the main.txt apperead only :

Deckard's System Scanner v20071014.68
Run by BerKing on 2008-03-16 01:38:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 1.37 GiB (less than 15%) free.


-- HijackThis (run as BerKing.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:38:20, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Image-Line\FL Studio 7\FL.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BerKing\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BerKing.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISTray] "F:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5300 bytes

-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-16 01:05:56 0 d-------- C:\Program Files\Trend Micro
2008-03-16 00:42:20 0 d-------- C:\Program Files\EsetOnlineScanner
2008-03-04 18:39:15 0 d-------- C:\Documents and Settings\BerKing\Application Data\Sibelius Software
2008-03-04 18:38:59 0 d-------- C:\Program Files\Sibelius Software
2008-02-29 20:22:44 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-29 20:22:44 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-29 20:22:44 0 d-------- C:\Program Files\Xvid
2008-02-24 23:53:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 23:33:25 0 d-------- C:\Documents and Settings\BerKing\Application Data\PC Tools
2008-02-24 23:07:34 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:53:13 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 02:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-02-23 02:08:48 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-03-16 00:36:50 0 d-------- C:\Documents and Settings\BerKing\Application Data\AVG7
2008-03-15 19:00:03 0 d-------- C:\Documents and Settings\BerKing\Application Data\Lightning Download
2008-03-14 17:34:16 0 d-------- C:\Documents and Settings\BerKing\Application Data\uTorrent
2008-03-08 19:47:56 0 d-------- C:\Program Files\Java
2008-03-06 17:20:37 0 d-------- C:\Program Files\SampleTank 2
2008-03-06 17:20:36 0 d-------- C:\Program Files\VstPlugins
2008-02-29 19:37:57 0 d-------- C:\Program Files\uTorrent
2008-02-24 23:34:44 380692 --a------ C:\WINDOWS\system32\perfh01F.dat
2008-02-24 23:34:44 67438 --a------ C:\WINDOWS\system32\perfc01F.dat
2008-02-23 19:44:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-23 19:08:06 0 d-------- C:\Documents and Settings\BerKing\Application Data\Adobe
2008-02-23 02:08:48 0 d-------- C:\Program Files\Common Files
2008-02-11 22:07:03 0 d-------- C:\Program Files\Boru Client
2008-02-11 22:06:36 159662 --a------ C:\WINDOWS\Application name Uninstaller.exe
2008-02-11 09:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-11 09:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-08 13:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-05 08:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>
2008-01-28 20:09:18 0 d-------- C:\Documents and Settings\BerKing\Application Data\FarStone
2008-01-28 20:06:18 261 --a------ C:\inVHDDrvLog.dat
2008-01-28 20:03:07 86016 --a------ C:\WINDOWS\system32\Dversion.dll <Not Verified; FarStone Technology, Inc.; Farstone Dversion>
2008-01-28 20:03:07 110592 --a------ C:\WINDOWS\system32\DVC.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [29.05.2001 11:02 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 04:25]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [21.11.2006 19:38]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11.05.2005 23:12]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27.04.2007 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01.06.2007 15:51]
"Lightning Download"="C:\Program Files\Lightning Download\Lightning.exe" [18.10.2007 11:20]
"@"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [24.02.2008 23:53]
"ISTray"="F:\Program Files\Spyware Doctor\pctsTray.exe" [10.12.2007 14:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19.01.2007 12:55]

C:\Documents and Settings\BerKing\Start Menu\Programlar\BaŸlang‡\
Sipru.lnk - F:\Program Files\Sipru\sipru.exe [07.03.2008 22:08:31]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11.05.2005 23:23:26]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d1d24f3-dfc2-11db-9523-000fea234422}]
1\Command- I:\.\RECYCLER\RECYCLER\autorun.exe
2\Command- I:\.\RECYCLER\RECYCLER\autorun.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-03-16 01:39:12 ------------
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Here is the ComboFix Report :

ComboFix 08-03-14.4 - BerKing 2008-03-16 1:55:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.806 [GMT 2:00]
Running from: C:\Documents and Settings\BerKing\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.sipru.com
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

2008-03-16 01:32 . 2008-03-16 01:32 <DIR> d-------- C:\Deckard
2008-03-16 01:05 . 2008-03-16 01:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-16 00:42 . 2008-03-16 01:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-08 19:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 18:39 . 2008-03-04 18:39 <DIR> d-------- C:\Documents and Settings\BerKing\Application Data\Sibelius Software
2008-03-04 18:38 . 2008-03-04 18:38 <DIR> d-------- C:\Program Files\Sibelius Software
2008-02-29 20:22 . 2008-02-29 20:22 <DIR> d-------- C:\Program Files\Xvid
2008-02-29 20:22 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-29 20:22 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-29 20:22 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-24 23:53 . 2008-02-24 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 23:33 . 2008-02-24 23:33 <DIR> d-------- C:\Documents and Settings\BerKing\Application Data\PC Tools
2008-02-24 23:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-24 23:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-24 23:33 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-24 23:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-24 23:07 . 2008-03-16 01:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:53 . 2008-02-23 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 02:08 . 2008-02-23 02:08 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 22:36 --------- d-----w C:\Documents and Settings\BerKing\Application Data\AVG7
2008-03-15 17:00 --------- d-----w C:\Documents and Settings\BerKing\Application Data\Lightning Download
2008-03-14 15:34 --------- d-----w C:\Documents and Settings\BerKing\Application Data\uTorrent
2008-03-08 17:47 --------- d-----w C:\Program Files\Java
2008-03-06 15:20 --------- d-----w C:\Program Files\VstPlugins
2008-03-06 15:20 --------- d-----w C:\Program Files\SampleTank 2
2008-02-29 17:37 --------- d-----w C:\Program Files\uTorrent
2008-02-24 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 17:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 20:07 --------- d-----w C:\Program Files\Boru Client
2008-02-11 20:06 159,662 ----a-w C:\WINDOWS\Application name Uninstaller.exe
2008-02-11 07:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 07:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 11:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 06:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-28 18:09 --------- d-----w C:\Documents and Settings\BerKing\Application Data\FarStone
2008-01-28 18:06 261 ----a-w C:\inVHDDrvLog.dat
2008-01-28 18:03 86,016 ----a-w C:\WINDOWS\system32\Dversion.dll
2008-01-28 18:03 110,592 ----a-w C:\WINDOWS\system32\DVC.dll
2007-12-10 15:40 6,275,816 ----a-w C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-04-22 07:03 1,409,024 --sh--w C:\WINDOWS\system\Mythos_PvP_Client.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 11:02 124416 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38 35328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51 257088]
"Lightning Download"="C:\Program Files\Lightning Download\Lightning.exe" [2007-10-18 11:20 2142208]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-24 23:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-24 23:53 219136]

C:\Documents and Settings\BerKing\Start Menu\Programlar\BaŸlang‡\
Sipru.lnk - F:\Program Files\Sipru\sipru.exe [2008-03-07 22:08:31 4022272]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dmremote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"F:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"F:\\Program Files\\Warcraft III\\w3l.exe"=
"F:\\Program Files\\Age of Wonders Shadow Magic\\AoWSM.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Sipru\\sipru.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:w3

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2004-02-12 18:52]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S3 yqfprhqr;yqfprhqr;C:\WINDOWS\system32\drivers\yqfprhqr.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-07-24 07:11:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-03-11 12:39:42 C:\WINDOWS\Tasks\WebReg psc 1400 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 01:58:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-16 1:59:02
ComboFix-quarantined-files.txt 2008-03-15 23:58:54
.
2007-08-16 12:58:07 --- E O F ---





And here is the HJT Report :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:00:28, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Image-Line\FL Studio 7\FL.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5132 bytes
  • 0

#6
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
any ideas what this file is F:\Program Files\Sipru\sipru.exe

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\drivers\yqfprhqr.sys
C:\WINDOWS\Application name Uninstaller.exe

Driver::
yqfprhqr

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Well Sipru is a Internet TV for NTV,NBA TV,CNBC but if it needs to be deleted I'll delete of course

Here is my ComboFix Log :

ComboFix 08-03-14.4 - BerKing 2008-03-16 14:07:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.770 [GMT 2:00]
Running from: C:\Documents and Settings\BerKing\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\BerKing\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Application name Uninstaller.exe
C:\WINDOWS\system32\drivers\yqfprhqr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Application name Uninstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_YQFPRHQR
-------\yqfprhqr


((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.

2008-03-16 01:32 . 2008-03-16 01:32 <DIR> d-------- C:\Deckard
2008-03-16 01:05 . 2008-03-16 01:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-16 00:42 . 2008-03-16 01:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-08 19:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 18:39 . 2008-03-04 18:39 <DIR> d-------- C:\Documents and Settings\BerKing\Application Data\Sibelius Software
2008-03-04 18:38 . 2008-03-04 18:38 <DIR> d-------- C:\Program Files\Sibelius Software
2008-02-29 20:22 . 2008-02-29 20:22 <DIR> d-------- C:\Program Files\Xvid
2008-02-29 20:22 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-29 20:22 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-29 20:22 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-02-24 23:53 . 2008-02-24 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 23:33 . 2008-02-24 23:33 <DIR> d-------- C:\Documents and Settings\BerKing\Application Data\PC Tools
2008-02-24 23:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-24 23:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-24 23:33 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-24 23:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-24 23:07 . 2008-03-16 01:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:53 . 2008-02-23 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 02:08 . 2008-02-23 02:08 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 12:03 --------- d-----w C:\Documents and Settings\BerKing\Application Data\Lightning Download
2008-03-16 12:02 --------- d-----w C:\Documents and Settings\BerKing\Application Data\AVG7
2008-03-14 15:34 --------- d-----w C:\Documents and Settings\BerKing\Application Data\uTorrent
2008-03-08 17:47 --------- d-----w C:\Program Files\Java
2008-03-06 15:20 --------- d-----w C:\Program Files\VstPlugins
2008-03-06 15:20 --------- d-----w C:\Program Files\SampleTank 2
2008-02-29 17:37 --------- d-----w C:\Program Files\uTorrent
2008-02-24 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 17:44 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 20:07 --------- d-----w C:\Program Files\Boru Client
2008-01-28 18:09 --------- d-----w C:\Documents and Settings\BerKing\Application Data\FarStone
2008-01-28 18:06 261 ----a-w C:\inVHDDrvLog.dat
2007-12-10 15:40 6,275,816 ----a-w C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-04-22 07:03 1,409,024 --sh--w C:\WINDOWS\system\Mythos_PvP_Client.exe
.

((((((((((((((((((((((((((((( [email protected]_ 1.58.38,71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 06:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 11:02 124416 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 19:38 35328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 15:51 257088]
"Lightning Download"="C:\Program Files\Lightning Download\Lightning.exe" [2007-10-18 11:20 2142208]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-24 23:53 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-24 23:53 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\dmremote.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"=
"C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"F:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"F:\\Program Files\\Warcraft III\\w3l.exe"=
"F:\\Program Files\\Age of Wonders Shadow Magic\\AoWSM.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\Sipru\\sipru.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6112:TCP"= 6112:TCP:w3

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2004-02-12 18:52]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-07-24 07:11:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-03-11 12:39:42 C:\WINDOWS\Tasks\WebReg psc 1400 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 14:12:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-16 14:15:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 12:15:34
ComboFix2.txt 2008-03-15 23:59:03
.
2007-08-16 12:58:07 --- E O F ---



And my HJT Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18:56, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Lightning Download\Lightning.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lightning Download] C:\Program Files\Lightning Download\Lightning.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5243 bytes
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Well Sipru is a Internet TV for NTV,NBA TV,CNBC but if it needs to be deleted I'll delete of course

lets hold fire for the moment, i cant find much about it, but if it is legit then it should be ok. it does seem to be the last program you loaded though in March.

otherwise your logs are looking good, so we will do a couple of scans to see what else is on your machine.

the scans will likely take 2 hours, quite possibly much longer. so just let them run.

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


in your next reply could i see:
1. the SUPERantispyware log
2. the kaspersky scan log
3. a new hijackthis log

there may be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#9
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Super Spyware Log :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/16/2008 at 06:43 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 00:21:31

Memory items scanned : 425
Memory threats detected : 0
Registry items scanned : 4268
Registry threats detected : 0
File items scanned : 12684
File threats detected : 0

__________________________________

HJT Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:54, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5129 bytes


I dont know why but Kaspersky didnt worked for me.. And after I did these my Firefox isnt working normally.I even rebooted my PC but its still like this http://img219.images...218/adszaf1.jpg

Edited by Lazures, 16 March 2008 - 11:27 AM.

  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm....my mistake, i did not notice you had firefox and kaspersky only works with IE.....though that shoudl not have caused the issues with the firefox. the SUPERantispyware did not find anything, so good news there.

we will do a different scan and go back a fix your firefox afterwards, though if push comes to shove we can readily reinstall it. incidently, does your firefox do that on all sites, or just geekstogo?

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

andrewuk
  • 0

Advertisements


#11
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
My brother was on for 15-20 minutes,while I was studying..After that,I felt like doing another scan with SuperAnti-spyware and it found something..Just now nothing is working normally actually.My Firefox does not open the other window at PandaScan,my internet explorer's homepage changed..Its some spyware semptoms I think.I'll post my SuperAntispyware Log now,if I can.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/16/2008 at 08:33 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 00:23:25

Memory items scanned : 440
Memory threats detected : 0
Registry items scanned : 4283
Registry threats detected : 56
File items scanned : 13656
File threats detected : 9

Adware.Mirar/NetNucleus
HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
C:\WINDOWS\SYSTEM32\WINNB58.DLL
HKLM\Software\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}#UninstallString
C:\DOCUMENTS AND SETTINGS\BERKING\LOCAL SETTINGS\TEMP\MIRAR_VC_SETUP_876933.EXE
C:\DOCUMENTS AND SETTINGS\BERKING\LOCAL SETTINGS\TEMP\TEM224.TMP.EXE

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#http
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https

Adware.Tracking Cookie
C:\Documents and Settings\BerKing\Cookies\[email protected][2].txt
C:\Documents and Settings\BerKing\Cookies\[email protected][1].txt
C:\Documents and Settings\BerKing\Cookies\[email protected][1].txt
C:\Documents and Settings\BerKing\Cookies\[email protected][2].txt
C:\Documents and Settings\BerKing\Cookies\[email protected][2].txt
C:\Documents and Settings\BerKing\Cookies\[email protected][1].txt
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
yes, something has come on and hit your machine between those 2 SUPERantispyware scans. we had better take stock of where we are.

firstly, could you clear your firefox cache and reset the settings to default.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#13
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Well my English is not so good so could you explain me to this Firefox Cache thingie please ?

Ah here is main.txt :

Deckard's System Scanner v20071014.68
Run by BerKing on 2008-03-16 20:48:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
11: 2008-03-16 18:48:53 UTC - RP11 - Deckard's System Scanner Restore Point
10: 2008-03-16 17:58:14 UTC - RP10 - Software Distribution Service 3.0
9: 2008-03-16 17:56:49 UTC - RP9 - Windows Internet Explorer 7 yüklendi.
8: 2008-03-16 17:54:59 UTC - RP8 - Installed Windows IDNMitigationAPIs.
7: 2008-03-16 17:54:20 UTC - RP7 - Installed Windows NLSDownlevelMapping.


-- First Restore Point --
1: 2008-03-15 23:32:41 UTC - RP1 - Sistem Denetleme Noktası


Performed disk cleanup.

System Drive C: has 0.82 GiB (less than 15%) free.


-- HijackThis (run as BerKing.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48:58, on 16.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Documents and Settings\BerKing\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\BerKing.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-2.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sipru.lnk = F:\Program Files\Sipru\sipru.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6058 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ElbyVCD - c:\windows\system32\drivers\elbyvcd.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 SASENUM - f:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 712)
2007-04-19 12:41:36 294912 --a------ F:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 1440)
2006-12-20 12:55:48 77824 --a------ F:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>

C:\WINDOWS\system32\rundll32.exe (pid 3476)
2008-03-07 15:58:24 60416 --a------ C:\WINDOWS\system32\cpmsky.dll


-- Scheduled Tasks -------------------------------------------------------------

2007-07-24 09:11:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-03-11 14:39:42 248 --a------ C:\WINDOWS\Tasks\WebReg psc 1400 series.job


-- Files created between 2008-02-16 and 2008-03-16 -----------------------------

2008-03-16 20:09:15 40713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-03-16 20:09:08 80121 --a------ C:\WINDOWS\system32\adzgalore-remove.exe
2008-03-16 20:09:08 0 d-------- C:\Program Files\Adzgalore Games Collection
2008-03-16 20:02:29 0 d-------- C:\Program Files\FBrowsingAdvisor
2008-03-16 20:02:28 0 d-------- C:\Program Files\FBrowserAdvisor
2008-03-16 20:02:20 0 d-------- C:\Program Files\InternetProgram
2008-03-16 19:57:18 0 d-------- C:\WINDOWS\system32\tr-tr
2008-03-16 19:47:16 0 d-------- C:\WINDOWS\network diagnostic
2008-03-16 18:17:33 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-16 18:17:28 0 d-------- C:\Documents and Settings\BerKing\Application Data\SUPERAntiSpyware.com
2008-03-16 18:13:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-16 18:13:54 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 01:55:01 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-16 01:55:01 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-16 01:55:01 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-16 01:55:01 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-16 01:05:56 0 d-------- C:\Program Files\Trend Micro
2008-03-16 00:42:20 0 d-------- C:\Program Files\EsetOnlineScanner
2008-03-07 15:58:24 60416 --a------ C:\WINDOWS\system32\cpmsky.dll
2008-03-04 18:39:15 0 d-------- C:\Documents and Settings\BerKing\Application Data\Sibelius Software
2008-03-04 18:38:59 0 d-------- C:\Program Files\Sibelius Software
2008-02-29 20:22:44 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-02-29 20:22:44 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-02-29 20:22:44 0 d-------- C:\Program Files\Xvid
2008-02-24 23:53:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 23:07:34 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:53:13 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-23 02:24:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-02-23 02:08:48 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-03-16 20:07:45 0 d-------- C:\Documents and Settings\BerKing\Application Data\AVG7
2008-03-16 18:53:49 0 d-------- C:\Documents and Settings\BerKing\Application Data\Lightning Download
2008-03-16 18:17:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 17:34:16 0 d-------- C:\Documents and Settings\BerKing\Application Data\uTorrent
2008-03-08 19:47:56 0 d-------- C:\Program Files\Java
2008-03-06 17:20:37 0 d-------- C:\Program Files\SampleTank 2
2008-03-06 17:20:36 0 d-------- C:\Program Files\VstPlugins
2008-02-29 19:37:57 0 d-------- C:\Program Files\uTorrent
2008-02-24 23:34:44 380692 --a------ C:\WINDOWS\system32\perfh01F.dat
2008-02-24 23:34:44 67438 --a------ C:\WINDOWS\system32\perfc01F.dat
2008-02-23 19:44:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-23 19:08:06 0 d-------- C:\Documents and Settings\BerKing\Application Data\Adobe
2008-02-23 02:08:48 0 d-------- C:\Program Files\Common Files
2008-02-11 22:07:03 0 d-------- C:\Program Files\Boru Client
2008-02-11 09:39:26 253952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-11 09:39:18 237568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll <Not Verified; ; OnlineScanner Dynamic Link Library>
2008-02-08 13:53:46 110592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll <Not Verified; ; OnlineScanner Language Library>
2008-02-05 08:48:04 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe <Not Verified; ; OnlineScannerUninstaller>
2008-01-28 20:09:18 0 d-------- C:\Documents and Settings\BerKing\Application Data\FarStone
2008-01-28 20:06:18 261 --a------ C:\inVHDDrvLog.dat
2008-01-28 20:03:07 86016 --a------ C:\WINDOWS\system32\Dversion.dll <Not Verified; FarStone Technology, Inc.; Farstone Dversion>
2008-01-28 20:03:07 110592 --a------ C:\WINDOWS\system32\DVC.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30}]
30.12.2007 22:48 1019904 --a------ C:\Program Files\InternetProgram\InternetProgram-2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCA95E31-1FBF-4F84-8F23-1BA653007A1E}]
07.03.2008 15:58 60416 --a------ C:\WINDOWS\system32\cpmsky.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [29.05.2001 11:02 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 04:25]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [21.11.2006 19:38]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11.05.2005 23:12]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27.04.2007 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01.06.2007 15:51]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [24.02.2008 23:53]
"PostSetupCheck"="C:\WINDOWS\system32\cpmsky.dll" [07.03.2008 15:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19.01.2007 12:55]
"SUPERAntiSpyware"="F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29.02.2008 16:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03.08.2004 23:45]

C:\Documents and Settings\BerKing\Start Menu\Programlar\BaŸlang‡\
Sipru.lnk - F:\Program Files\Sipru\sipru.exe [07.03.2008 22:08:31]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11.05.2005 23:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 12:41 294912 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - SASDIFSV



-- End of Deckard's System Scanner: finished at 2008-03-16 20:52:30 ------------
  • 0

#14
Lazures

Lazures

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
And extra.txt :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Other (041F) - see http://preview.tinyurl.com/mhhp6

CPU 0: Intel® Pentium® 4 CPU 1.60GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1279.48 MiB / 713.81 MiB
Pagefile Memory (total/avail): 1517.97 MiB / 1096.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.98 MiB

A: is Removable (No Media)
B: is Removable (No Media)
C: is Fixed (NTFS) - 55.89 GiB total, 0.83 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 74.53 GiB total, 58.8 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is CDROM (No Media)
J: is CDROM (No Media)
K: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - SAMSUNG SP0842N - 74.53 GiB - 1 partition
\PARTITION0 - Yüklenebilir Dosya Sistemi - 74.53 GiB - F:

\\.\PHYSICALDRIVE0 - ST360021A - 55.9 GiB - 1 partition
\PARTITION0 (bootable) - Yüklenebilir Dosya Sistemi - 55.89 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\dmremote.exe"="C:\\WINDOWS\\system32\\dmremote.exe:*:Enabled:dmremote"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat"="C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\patchget.dat:*:Enabled:patchgrabber"
"C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"="C:\\Program Files\\Codemasters\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE:*:Enabled:Worms 4 Mayhem"
"F:\\Program Files\\Warcraft III\\Frozen Throne.exe"="F:\\Program Files\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"F:\\Program Files\\Warcraft III\\w3l.exe"="F:\\Program Files\\Warcraft III\\w3l.exe:*:Enabled:DTR'ye Bağlan"
"F:\\Program Files\\Age of Wonders Shadow Magic\\AoWSM.exe"="F:\\Program Files\\Age of Wonders Shadow Magic\\AoWSM.exe:*:Enabled:Age of Wonders: Shadow Magic"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"F:\\Program Files\\Sipru\\sipru.exe"="F:\\Program Files\\Sipru\\sipru.exe:*:Enabled:sipru"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\BerKing\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=KNIGTHHO-DD8AF7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\BerKing
LOGONSERVER=\\KNIGTHHO-DD8AF7
NUMBER_OF_PROCESSORS=1
OPENSSL_CONF=C:\OpenSSL\bin\openssl.cnf
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM;F:\PROGRA~1\VD.E-V;F:\PROGRAM FILES\VD.E-V\VDP;F:\PROGRA~1\VD.E-V\DVDCRE~1;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_11\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BerKing\LOCALS~1\Temp
TMP=C:\DOCUME~1\BerKing\LOCALS~1\Temp
USERDOMAIN=KNIGTHHO-DD8AF7
USERNAME=BerKing
USERPROFILE=C:\Documents and Settings\BerKing
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

BerKing (admin)
Elleşme (admin)
Administrator.KNIGTHHO-DD8AF7.000 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adzgalore Games Collection --> C:\Program Files\Adzgalore Games Collection\uninstall.exe
Age of Wonders II --> F:\Program Files\Age of Wonders II\aow2Uninstall.exe
Age of Wonders Shadow Magic --> F:\Program Files\Age of Wonders Shadow Magic\aowsmUninstall.exe
Antares Auto-Tune 3.06 DirectX --> C:\PROGRA~1\ANTARE~1\ANTARE~1\UNWISE.EXE C:\PROGRA~1\ANTARE~1\ANTARE~1\INSTALL.LOG
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Application name --> C:\WINDOWS\Application name Uninstaller.exe
Arqas World --> MsiExec.exe /I{4DC1B4D4-F9D2-4F6F-8F63-4C36C31F44EF}
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
Atmosphere --> "C:\Program Files\Spectrasonics\Atmosphere\unins000.exe"
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Browser Optimizer Adzgalore --> C:\WINDOWS\system32\adzgalore-remove.exe
Camtasia Studio 4 --> MsiExec.exe /I{1BA16E5A-72B9-44B7-9FDA-FB6CE7FF6C0C}
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
DTR --> F:\Program Files\Warcraft III\Uninstal.exe
Edirol Super Quartet v1.52 TALiO --> C:\PROGRA~1\EDIROL\SUPERQ~1.52\UNWISE.EXE C:\PROGRA~1\EDIROL\SUPERQ~1.52\INSTALL.LOG
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Enhancement Browser Tools Cpmsky --> C:\WINDOWS\system32\cpmsky-uninst.exe
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
ExituS UO --> C:\Program Files\Ultima Online 2D\Multi ExituS Uninstal.exe
FBrowsingAdvisor --> "C:\Program Files\FBrowsingAdvisor\unins000.exe"
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7\uninstall.exe
Heaven PvP --> C:\Program Files\Ultima Online 2D\HeavenUninstall.exe
Heroes of Might and Magic V --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DE075DB-4218-4B2C-A35E-48D80BA680BB}\Setup.exe" -l0x15
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
Image Line ToxicIII v1.4 VSTi --> C:\PROGRA~1\VSTPLU~1\ToxicIII\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\ToxicIII\INSTALL.LOG
InternetProgram --> C:\Program Files\InternetProgram\uninstall.exe
iTunes --> MsiExec.exe /I{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Linplug Albino v2.1 --> C:\PROGRA~1\VSTPLU~1\LINPLU~1\ALBINO~1\ALBINO~1\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\LINPLU~1\ALBINO~1\ALBINO~1\INSTALL.LOG
Mellosoftron v3.1 --> C:\audio\MELLOS~1\UNWISE.EXE C:\audio\MELLOS~1\INSTALL.LOG
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Native Instruments FM7 v1.10.006 --> C:\PROGRA~1\NATIVE~1\FM7\UNWISE.EXE C:\PROGRA~1\NATIVE~1\FM7\INSTALL.LOG
NI Service Center --> C:\PROGRA~1\NATIVE~1\NISERV~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\NISERV~1\INSTALL.LOG
OpenSSL 0.9.6m --> C:\OpenSSL\unins000.exe
Pyramid Uo --> C:\Program Files\Ultima Online 2D\Uninstal.exe
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
sfArk --> C:\Program Files\sfArk\uninstall.exe
Sibelius Scorch --> MsiExec.exe /I{51C65CD6-A344-41B5-81E2-3CCAC8024F68}
Sibelius Scorch (ActiveX Only) --> MsiExec.exe /I{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}
Sipru --> MsiExec.exe /I{7086CBBD-E86A-4042-BC9B-787B172731F9}
Steinberg Mastering Edition Enhanced 2002 --> C:\PROGRA~1\SONICF~1\SHARED~1\Audio\STEINB~1\UNWISE.EXE C:\PROGRA~1\SONICF~1\SHARED~1\Audio\STEINB~1\INSTALL.LOG
Steinberg Mastering Edition v1.0 --> C:\WINDOWS\UNWISE.EXE C:\audio\STEINB~1\MASTER~1\INSTALL.LOG
Steinberg The Grand 2 --> "C:\Program Files\VstPlugins\The Grand 2\Uninstall.exe" "C:\Program Files\VstPlugins\The Grand 2\Install.log"
Steinberg The Grand 2 v2.0.0.1152 --> C:\PROGRA~1\VSTPLU~1\THEGRA~1\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\THEGRA~1\Install.log
Stronghold Crusader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C3727F2-8E37-49E4-820C-03B1677F53B6}\Setup.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Syncrosoft's License Control --> C:\PROGRA~1\SYNCRO~1\UNWISE.EXE C:\PROGRA~1\SYNCRO~1\INSTALL.LOG
SyncroSoft Emu (Remove only) --> C:\Program Files\SyncroSoft\Pos\H2O\Uninst.exe
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
T-RackS 24 v2.0.1 --> C:\audio\IKMULT~1\T-RACK~1\UNWISE.EXE C:\audio\IKMULT~1\T-RACK~1\INSTALL.LOG
Tassman 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C27C5BE0-0747-11D5-815F-00201856C449}\Setup.exe"
TBL BassLine v1.3 VSTi --> C:\PROGRA~1\VSTPLU~1\TBLBAS~1\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\TBLBAS~1\INSTALL.LOG
The Battle for Middle-earth ™ II --> C:\Program Files\Electronic Arts\The Battle for Middle-earth ™ II\EAUninstall.exe
The Lord of the Rings, The Rise of the Witch-king --> C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\EAUninstall.exe
UO Auto-Map --> c:\Program Files\UOAM\uoam.exe -uninstall
VirtualCloneDrive --> "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D="C:\Program Files\Elaborate Bytes\VirtualCloneDrive"
VirtualDrive Pro --> "F:\Program Files\VD.E-V\Setup.exe"
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Warp VST V1.0 --> C:\PROGRA~1\VSTPLU~1\WARPVS~1.0\UNWISE.EXE C:\PROGRA~1\VSTPLU~1\WARPVS~1.0\INSTALL.LOG
WC3Banlist --> "C:\Program Files\WC3Banlist\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{CB7D9F91-E82E-450C-B884-3DB9A7099C73}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows XP (KB923689) için Güvenlik Güncelleştirmesi --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Windows XP Düzeltme - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Düzeltme - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Düzeltme - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Düzeltme - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Düzeltme - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Düzeltme - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Düzeltme - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Düzeltme - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP için Düzeltme (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Windows XP için Güncelleştirme (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Windows XP için Güvenlik Güncelleştirmesi (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB925454) --> "C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB931768) --> "C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Windows XP için Güvenlik Güncelleştirmesi (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Worms Blast --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8874FD36-7C9D-4573-8956-E368D6753D90}\setup.exe"
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type3993 / Error
Event Submitted/Written: 03/16/2008 08:49:23 PM
Event ID/Source: 8 / crypt32
Event Description:
Üçüncü parti kök listesi sıra numarasının otomatik güncelleştirme yapılarak alınamadığı konum: <http://www.download....uthrootseq.txt> hata: Belirtilen sunucu istenen işlemi yürütemez.

Event Record #/Type3992 / Error
Event Submitted/Written: 03/16/2008 08:49:23 PM
Event ID/Source: 8 / crypt32
Event Description:
Üçüncü parti kök listesi sıra numarasının otomatik güncelleştirme yapılarak alınamadığı konum: <http://www.download....uthrootseq.txt> hata: Belirtilen sunucu istenen işlemi yürütemez.

Event Record #/Type3991 / Error
Event Submitted/Written: 03/16/2008 08:49:23 PM
Event ID/Source: 8 / crypt32
Event Description:
Üçüncü parti kök listesi sıra numarasının otomatik güncelleştirme yapılarak alınamadığı konum: <http://www.download....uthrootseq.txt> hata: Zaman aşımı süresi sona erdiğinden bu işlem geri çevrildi.

Event Record #/Type3988 / Success
Event Submitted/Written: 03/16/2008 08:38:37 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type3984 / Error
Event Submitted/Written: 03/16/2008 08:14:01 PM
Event ID/Source: 1000 / Application Error
Event Description:
Hata uygulaması iexplore.exe, sürüm 7.0.6000.16608, hata modülü urlmon.dll, sürümü 6.0.2900.3157, hata adresi 0x0003db7b.
Ortama özel olay [iexplore.exe!ws!] için işleniyor



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23599 / Error
Event Submitted/Written: 03/16/2008 08:37:35 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM iPod Service hizmetini "" değişkenleriyle başlatmaya çalışırken "%%1058" hatasını aldı
ve sunucuyu çalıştıramadı:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Event Record #/Type23586 / Error
Event Submitted/Written: 03/16/2008 08:10:17 PM
Event ID/Source: 10010 / DCOM
Event Description:
{0002DF01-0000-0000-C000-000000000046} sunucusu belirtilen zaman aşımı süresi içinde DCOM'a kaydolamadı.

Event Record #/Type23585 / Error
Event Submitted/Written: 03/16/2008 08:09:46 PM
Event ID/Source: 10010 / DCOM
Event Description:
{0002DF01-0000-0000-C000-000000000046} sunucusu belirtilen zaman aşımı süresi içinde DCOM'a kaydolamadı.

Event Record #/Type23584 / Error
Event Submitted/Written: 03/16/2008 08:05:19 PM
Event ID/Source: 10010 / DCOM
Event Description:
{0002DF01-0000-0000-C000-000000000046} sunucusu belirtilen zaman aşımı süresi içinde DCOM'a kaydolamadı.

Event Record #/Type23583 / Error
Event Submitted/Written: 03/16/2008 08:04:48 PM
Event ID/Source: 10010 / DCOM
Event Description:
{0002DF01-0000-0000-C000-000000000046} sunucusu belirtilen zaman aşımı süresi içinde DCOM'a kaydolamadı.



-- End of Deckard's System Scanner: finished at 2008-03-16 20:52:30 ------------
  • 0

#15
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Well my English is not so good so could you explain me to this Firefox Cache thingie please ?

Clearing Cache on Firefox 2.0Click Tools and select Options.
Click the Advanced icon and click the Network tab.
Click Clear Now under the Cache section.
Click Ok.
Exit and relaunch the browser.

looks like there were several programs downloaded onto your machine carrying infections.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-2.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

FBrowsingAdvisor
InternetProgram
Adzgalore Games Collection
Kaspersky Online Scanner


Please note any other programs that you dont recognize in that list in your next response



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cpmsky.dll
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\adzgalore-remove.exe
C:\Program Files\InternetProgram\InternetProgram-2.dll

Folder::
C:\Program Files\InternetProgram
C:\Program Files\Adzgalore Games Collection
C:\Program Files\FBrowsingAdvisor
C:\WINDOWS\system32\tr-tr
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\WINDOWS\system32\Kaspersky Lab

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4949986b-1103-11dc-9909-000fea234422}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

andrewuk
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP