Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Rootkit.Agent.ODG.trojan, unable to clean [Solved]

Started by invinciblebjk , Apr 25 2009 10:32 AM

  • This topic is locked This topic is locked

#1
invinciblebjk
Posted 25 April 2009 - 10:32 AM

invinciblebjk

    Member

  • Member
  • PipPip
  • 12 posts
Hi everyone,

First, I would like to thank you all for helping people like us and I would like say that I personally appreciate it.

As it is clear from my topic title, I am also one of the victims of this rootkit trojan. Eset NOD32, evidently, was not able to remove this trojan. I have tried using Malwarebytes anti-malware and ad aware. They did not change anything.

Checking the "Malware and Spyware Cleaning Guide", I have downloaded Rooter and OTListIT2 and got their results in the texts.

I hope you can help me as well. I believe this trojan has been downloading more and more trojans to my pc, even though NOD32 is preventing them from entering.

I am posting the logs below, I hope I haven't missed a step: (by the way, I do not know how one can read and understand these data, but if you see anything else wrong other than the Win32/Rootkit.Agent.ODG.trojan, still let me know please!)

Rooter log:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:76065 Mo/Free:856 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
E:\ [Fixed] - NTFS - (Total:953867 Mo/Free:1908 Mo)

25.04.2009|17:20

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
---------- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\TDispVol.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
---------- C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
---------- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
---------- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
---------- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\WINDOWS\system32\PnkBstrB.exe
---------- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
---------- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\Documents and Settings\xxxxxxxxx\Desktop\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV


1 - "C:\Rooter$\Rooter_1.txt" - 25.04.2009|17:13
2 - "C:\Rooter$\Rooter_2.txt" - 25.04.2009|17:20

----------------------\\ Scan completed at 17:20



OTLIST2 "OTLIST" LOG:

OTListIt logfile created on: 25.04.2009 17:23:36 - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\xxxxxxxx\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041F | Country: Türkiye | Language: TRK | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,28 Gb Total Space | 36,84 Gb Free Space | 49,59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931,51 Gb Total Space | 577,86 Gb Free Space | 62,04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EPHESUS
Current User Name: xxxxxxxxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\TDispVol.exe (TOSHIBA Corporation)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (InterVideo Inc.)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\WINDOWS\system32\PnkBstrA.exe ()
PRC - C:\WINDOWS\system32\PnkBstrB.exe ()
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\xxxxxxxxx\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Capture Device Service [Auto | Running]) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (InterVideo Inc.)
SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (EvtEng [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 4.0 [Auto | Running]) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PnkBstrA [Auto | Running]) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (PnkBstrB [Auto | Running]) -- C:\WINDOWS\system32\PnkBstrB.exe ()
SRV - (RegSrvc [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (S24EventMonitor [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (ServiceLayer [On_Demand | Stopped]) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (TAPPSRV [Auto | Running]) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
SRV - (UleadBurningHelper [Auto | Running]) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (camvid40 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\camdrv41.sys (Philips Consumer Electronics)
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DLABOIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLACDBHM [System | Running]) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLADResN [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLAIFS_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLAOPIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLARTL_N [System | Running]) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DLAUDFAM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (DRVMCDB [Boot | Running]) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DRVNDDM [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\eamon.sys (ESET)
DRV - (ehdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\ehdrv.sys (ESET)
DRV - (epfwtdir [System | Running]) -- C:\WINDOWS\system32\DRIVERS\epfwtdir.sys (ESET)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (lusbaudio [System | Stopped]) -- C:\WINDOWS\system32\drivers\OVSound2.sys (Microsoft Corporation)
DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)
DRV - (NETw5x32 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NETw5x32.sys (Intel Corporation)
DRV - (nmwcd [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (nmwcdc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcdnsu [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdnsuc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (NuidFltr [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\NuidFltr.sys (Microsoft Corporation)
DRV - (PnkBstrK [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (Point32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\point32.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (QCAbsee [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\OVCA.sys (Microsoft Corporation)
DRV - (ROOTMODEM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\RootMdm.sys (Microsoft Corporation)
DRV - (s24trans [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys (Intel Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (tifm21 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (toshidpt [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\Toshidpt.sys (TOSHIBA Corporation.)
DRV - (tosporte [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Corporation)
DRV - (Tosrfbd [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfbnp [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (Tosrfcom [System | Running]) -- C:\WINDOWS\System32\Drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (tosrfec [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfec.sys (TOSHIBA Corporation)
DRV - (Tosrfhid [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (tosrfnds [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (TosRfSnd [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\TosRfSnd.sys (TOSHIBA Corporation)
DRV - (Tosrfusb [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (TVALD [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NBSMI.sys (Toshiba Corporation)
DRV - (Tvs [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Tvs.sys (TOSHIBA Corporation)
DRV - (upperdev [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (usbser [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbser.sys (Microsoft Corporation)
DRV - (UsbserFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys (Windows ® Codename Longhorn DDK provider)
DRV - (vsdatant [On_Demand | Stopped]) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)
DRV - (w39n51 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\w39n51.sys (Intel® Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.8.6
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102
FF - prefs.js..extensions.enabledItems: {19D6F1AB-D724-41EA-97CA-0758E16D12B7}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.9
FF - prefs.js..extensions.enabledItems: {36C13C8F-54F1-412e-8177-2E411719162D}:3.3.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009.04.21 23:07:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009.04.25 15:49:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009.04.23 19:01:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\MOZILLA THUNDERBIRD

[2008.09.14 14:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxx\Application Data\mozilla\Extensions
[2008.09.14 14:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxx\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009.04.22 08:14:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions
[2009.04.22 08:14:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009.02.01 16:04:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions\{36C13C8F-54F1-412e-8177-2E411719162D}
[2009.04.25 17:06:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009.04.21 21:50:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{19D6F1AB-D724-41EA-97CA-0758E16D12B7}
[2009.04.23 19:01:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009.01.31 17:52:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009.04.23 19:01:05 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009.04.23 19:01:05 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008.01.04 16:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006.07.05 19:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008.01.04 16:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008.03.08 10:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008.11.14 18:58:45 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008.04.16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008.03.28 19:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008.01.04 16:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O3 - HKLM\..\Toolbar: (Mirar) - {DF3D3FFC-4404-457E-BA81-77BB7EA6FCF3} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DF3D3FFC-4404-457E-BA81-77BB7EA6FCF3} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [TDispVol] "C:\WINDOWS\system32\TDispVol.exe" (TOSHIBA Corporation)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] https in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Sites: windowsupdate.com ([]http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1206185325921 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1206186201843 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{7B6CC36C-1CA7-40D7-8C16-67A546ACC108}\\NameServer = 4.2.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Geçerli Giriş Sayfam) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 0
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - E:\autorun [2009.04.07 21:47:46 | 00,000,000 | RH-D | M] - [ NTFS ]
O32 - Autorun File - E:\autorun.inf () - [ NTFS ]
O33 - MountPoints2\{8959a6d4-0da5-11de-8adc-00a0d145bb90}\Shell\AutoRun\command - "" = explorer .
O33 - MountPoints2\{8959a6d4-0da5-11de-8adc-00a0d145bb90}\Shell\mobile\command - "" = G:\MobileLaunch.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009.04.25 17:17:29 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\EFEAKA~1\Desktop\OTListIt2.exe
[2009.04.25 17:12:48 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009.04.25 17:12:43 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Rooter.exe
[2009.04.25 16:31:08 | 00,000,000 | ---D | C] -- C:\Program Files\jv16 PowerTools 2009
[2009.04.25 15:24:44 | 00,051,200 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\October 19 The Poisson Event Count Model.doc
[2009.04.24 23:20:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxx\Application Data\TrojanHunter
[2009.04.24 11:16:25 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009.04.24 11:02:01 | 00,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2009.04.24 11:02:01 | 00,000,000 | ---D | C] -- C:\Program Files\TrojanHunter 5.0
[2009.04.24 10:58:22 | 00,102,800 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009.04.23 23:44:25 | 00,000,867 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Ad-Aware.lnk
[2009.04.22 08:09:09 | 01,089,883 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009.04.21 22:54:20 | 00,000,224 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.04.21 22:51:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009.04.21 21:49:29 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\ESET
[2009.04.21 20:39:37 | 36,687,6914 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\heroes.s03e24.hdtv.xvid-fqm.www.divxkurdu.com.DvX-TeaM.avi
[2009.04.18 16:56:10 | 00,139,895 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Grob-From_the_Dagger_to_the_Bomb.pdf
[2009.04.18 15:11:32 | 00,444,692 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\477.pdf
[2009.04.18 12:22:25 | 00,275,475 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\WP12.pdf
[2009.04.18 12:17:30 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Research Design
[2009.04.15 21:05:00 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009.04.15 21:04:53 | 00,283,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009.04.15 21:04:53 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009.04.15 21:04:52 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009.04.15 21:04:51 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009.04.15 21:04:51 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009.04.15 21:04:49 | 00,682,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009.04.15 21:04:48 | 00,728,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009.04.15 21:04:48 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009.04.15 21:04:47 | 00,710,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009.04.15 21:03:14 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009.04.15 21:03:13 | 00,216,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009.04.14 12:34:26 | 11,735,11499 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Heroes.S03E23.720p.HDTV.X264-DIMENSION.mkv
[2009.04.13 16:03:36 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\RM
[2009.04.13 11:22:25 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Research Methods
[2009.04.13 01:50:44 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009.04.13 01:50:44 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Application Data\ESET
[2009.04.13 01:42:24 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009.04.13 01:42:21 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.04.13 01:42:20 | 00,839,680 | ---- | C] (http://www.mp3dev.org/) -- C:\WINDOWS\System32\lameACM.acm
[2009.04.13 01:42:20 | 00,000,414 | ---- | C] () -- C:\WINDOWS\System32\lame_acm.xml
[2009.04.13 01:42:19 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.04.13 01:42:19 | 00,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.04.13 01:42:19 | 00,217,088 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2009.04.13 01:42:19 | 00,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.04.13 01:42:19 | 00,118,784 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2009.04.13 01:42:19 | 00,086,016 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\dpl100.dll
[2009.04.13 01:42:17 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.04.13 01:42:17 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009.04.13 01:42:16 | 00,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Real
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\Real
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Application Data\Real
[2009.04.10 22:49:06 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\The KMPlayer
[2009.04.10 22:47:10 | 00,000,710 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\KMPlayer.lnk
[2009.04.10 22:46:57 | 00,000,000 | ---D | C] -- C:\Program Files\The KMPlayer
[2009.04.10 22:40:18 | 00,000,000 | ---D | C] -- C:\Program Files\Haali
[2009.04.10 22:40:06 | 00,000,000 | ---D | C] -- C:\Program Files\CoreCodec
[2009.04.10 13:42:42 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\UN simulation
[2009.04.09 15:21:12 | 00,094,360 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2009.04.09 15:18:02 | 00,107,256 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\ehdrv.sys
[2009.04.09 15:10:30 | 00,113,960 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\eamon.sys
[2009.04.06 14:26:42 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Tekne Fotolar
[2009.04.05 13:52:46 | 00,044,498 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\one.flew.over.the.cuckoos.nest.(1975).eng.1cd.(3373253).zip
[2009.04.04 16:56:15 | 00,104,848 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\PMch1.pdf
[2009.04.03 18:36:33 | 59,071,765 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Duman-En_Guzel_Gunum_Gecem-2007.rar
[2009.04.03 00:42:39 | 00,300,540 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\hydroptere_2_582.jpg
[2009.03.31 12:56:19 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Terrorism Essay- Yes We Can
[2009.03.30 19:35:29 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\My Received Files
[2009.02.28 23:57:18 | 00,140,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.01.23 17:54:35 | 00,015,504 | ---- | C] () -- C:\WINDOWS\System32\msdx92.dll
[2009.01.14 10:22:27 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2009.01.14 10:22:27 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2009.01.14 10:22:27 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2009.01.14 10:07:23 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009.01.14 10:07:23 | 00,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008.12.30 15:52:50 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.12.24 14:39:42 | 00,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008.06.25 22:22:48 | 00,308,736 | R--- | C] () -- C:\WINDOWS\System32\fpxlib.dll
[2008.06.25 22:22:48 | 00,091,136 | R--- | C] () -- C:\WINDOWS\System32\jpeglib.dll
[2008.05.23 07:48:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008.05.23 07:35:50 | 00,000,098 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2008.05.11 08:45:55 | 00,000,145 | ---- | C] () -- C:\WINDOWS\PR1V2.INI
[2007.04.03 16:18:26 | 00,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007.04.03 16:18:06 | 00,193,576 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006.02.01 11:19:14 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006.02.01 11:08:10 | 00,000,466 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2006.02.01 10:55:30 | 00,000,744 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.02.01 10:42:00 | 00,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006.02.01 10:38:07 | 00,210,456 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006.02.01 10:38:07 | 00,206,360 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006.02.01 10:38:07 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006.02.01 10:38:07 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006.02.01 10:38:07 | 00,194,072 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006.02.01 10:38:07 | 00,026,136 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006.02.01 10:33:55 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2006.02.01 10:30:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006.02.01 10:30:39 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006.02.01 10:30:39 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006.02.01 09:27:24 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006.02.01 09:27:24 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2006.02.01 09:15:17 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006.02.01 09:15:17 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006.02.01 09:15:17 | 00,010,174 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006.02.01 09:15:17 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006.01.31 16:20:04 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2006.01.31 16:20:04 | 00,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006.01.31 16:19:42 | 00,000,668 | ---- | C] () -- C:\WINDOWS\win.ini
[2006.01.31 16:19:39 | 00,000,827 | ---- | C] () -- C:\WINDOWS\system.ini
[2005.11.29 04:33:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005.09.02 13:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005.07.22 20:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004.07.20 16:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004.04.05 14:08:36 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\ChtCodec.dll
[2004.01.15 13:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2004.01.14 02:46:00 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

========== Files - Modified Within 30 Days ==========

[1 C:\*.tmp files]
[4 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009.04.25 17:17:30 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\EFEAKA~1\Desktop\OTListIt2.exe
[2009.04.25 17:12:43 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Rooter.exe
[2009.04.25 17:09:44 | 01,043,700 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.04.25 17:09:44 | 00,444,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.04.25 17:09:44 | 00,431,542 | ---- | M] () -- C:\WINDOWS\System32\perfh01F.dat
[2009.04.25 17:09:44 | 00,082,308 | ---- | M] () -- C:\WINDOWS\System32\perfc01F.dat
[2009.04.25 17:09:44 | 00,072,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009.04.25 17:05:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.04.25 17:05:18 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.04.25 17:05:15 | 32,191,81568 | -HS- | M] () -- C:\hiberfil.sys
[2009.04.25 16:59:13 | 00,195,584 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.04.25 15:26:36 | 00,102,472 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009.04.25 15:24:44 | 00,051,200 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\October 19 The Poisson Event Count Model.doc
[2009.04.25 12:53:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009.04.24 11:02:05 | 00,059,392 | R--- | M] () -- C:\WINDOWS\System32\streamhlp.dll
[2009.04.24 10:58:22 | 00,102,800 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009.04.23 23:44:25 | 00,000,867 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Ad-Aware.lnk
[2009.04.22 08:06:58 | 00,368,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009.04.21 23:31:56 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009.04.21 22:54:20 | 00,000,224 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.04.21 22:27:50 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.04.21 22:10:24 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\zulenipe
[2009.04.21 21:55:24 | 00,050,688 | -HS- | M] () -- C:\WINDOWS\System32\gitisowe.exe
[2009.04.20 23:42:55 | 36,687,6914 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\heroes.s03e24.hdtv.xvid-fqm.www.divxkurdu.com.DvX-TeaM.avi
[2009.04.19 18:03:52 | 00,002,433 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\VPN Client.lnk
[2009.04.18 16:56:10 | 00,139,895 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Grob-From_the_Dagger_to_the_Bomb.pdf
[2009.04.18 16:55:51 | 00,444,692 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\477.pdf
[2009.04.18 12:22:25 | 00,275,475 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\WP12.pdf
[2009.04.13 21:18:00 | 00,000,478 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009.04.13 21:16:48 | 11,735,11499 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Heroes.S03E23.720p.HDTV.X264-DIMENSION.mkv
[2009.04.10 22:47:10 | 00,000,710 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\KMPlayer.lnk
[2009.04.09 15:21:12 | 00,094,360 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2009.04.09 15:18:02 | 00,107,256 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\ehdrv.sys
[2009.04.09 15:10:30 | 00,113,960 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\eamon.sys
[2009.04.06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009.04.06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009.04.05 13:52:46 | 00,044,498 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\one.flew.over.the.cuckoos.nest.(1975).eng.1cd.(3373253).zip
[2009.04.04 16:56:16 | 00,104,848 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\PMch1.pdf
[2009.04.03 18:37:16 | 59,071,765 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Duman-En_Guzel_Gunum_Gecem-2007.rar
[2009.04.03 00:42:40 | 00,300,540 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\hydroptere_2_582.jpg
[2009.04.02 11:33:00 | 00,184,958 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\OC.jpg
[2009.03.27 12:45:56 | 00,015,817 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Yeni Microsoft Office Word Document.docx
[2009.03.27 07:48:52 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009.03.26 19:02:09 | 01,596,607 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\189_1.jpg

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:CD060F93
@Alternate Data Stream - 124 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 118 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:5BB923A2
< End of report >



OTLIST "EXTRAS" LOG:

OTListIt Extras logfile created on: 25.04.2009 17:23:36 - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\xxxxxxxx\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041F | Country: Türkiye | Language: TRK | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 100,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 100,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,28 Gb Total Space | 36,84 Gb Free Space | 49,59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931,51 Gb Total Space | 577,86 Gb Free Space | 62,04% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EPHESUS
Current User Name: xxx xxxxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"21018:TCP" = 21018:TCP:*:Enabled:BitComet 21018 TCP
"21018:UDP" = 21018:UDP:*:Enabled:BitComet 21018 UDP
"18829:TCP" = 18829:TCP:*:Enabled:BitComet 18829 TCP
"18829:UDP" = 18829:UDP:*:Enabled:BitComet 18829 UDP
"60000:TCP" = 60000:TCP:*:Enabled:BitComet 60000 TCP
"60000:UDP" = 60000:UDP:*:Enabled:BitComet 60000 UDP
"22394:TCP" = 22394:TCP:*:Enabled:BitComet 22394 TCP
"22394:UDP" = 22394:UDP:*:Enabled:BitComet 22394 UDP
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader
"6112:TCP" = 6112:TCP:*:Enabled:Blizzard Downloader

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call (Microsoft Corporation)
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\WINDOWS\system32\drivers\svchost.exe:*:Enabled:svchost File not found
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote (Microsoft Corporation)
C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater (Nokia Corporation)
C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process (Nokia Corporation)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget (FlashGet.com)
C:\Program Files\SPSSInc\SPSS16\spss.exe:*:Disabled:SPSS 16.0 for Windows (1033:exe) (SPSS Inc)
C:\Program Files\SPSSInc\SPSS16\spss.com:*:Disabled:SPSS 16.0 for Windows (1033:com) (SPSS Inc)
C:\Program Files\SPSSInc\SPSS16\ExportToPowerPoint.exe:*:Disabled:SPSS PowerPoint Export Utility (1033) (SPSS Inc.)
C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2 ()
C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call (Microsoft Corporation)
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync (Microsoft Corporation)
C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger (Microsoft Corporation)
C:\WINDOWS\explorer.exe:*:Enabled:Explorer (Microsoft Corporation)
C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype (Skype Technologies S.A.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02627ee5-eaca-4742-a9cc-e687631773e4}" = Nero ShowTime
"{03528A01-7E5E-4C5F-94DF-1D8012E969EF}" = Nokia Map Loader
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2™
"{086a7d8c-0a38-4c7f-819a-620275550d5c}" = Nero Burning ROM Help
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{17BD85F9-3B88-4C85-BB47-4AB8DD68F8BB}" = Nokia Software Updater
"{1c00c7c5-e615-4139-b817-7f4003de68c0}" = Nero PhotoSnap Help
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{20400dbd-e6db-45b8-9b6b-1dd7033818ec}" = Nero InfoTool
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2348b586-c9ae-46ce-936c-a68e9426e214}" = Nero StartSmart Help
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2A0A6470-FD0F-4F45-9B11-85F3167DB943}" = Nokia Flashing Cable Driver
"{2B7BC7C5-CE5F-373A-A1E7-37A5B909D933}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - TRK
"{2D21ECE3-8EC1-4315-AE4E-1970FB3AF17A}" = Nokia Nseries Video Manager
"{301BEB64-7C38-4BB5-8F94-62E6160532C8}" = Nokia Download!
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33cf58f5-48d8-4575-83d6-96f574e4d83a}" = Nero DriveSpeed
"{350C941f-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359cfc0a-beb1-440d-95ba-cf63a86da34f}" = Nero Recode
"{368ba326-73ad-4351-84ed-3c0a7a52cc53}" = Nero Rescue Agent
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EB6332B-AF02-457C-A31C-835458C5B48B}" = TOSHIBA El Kitapları
"{43e39830-1826-415d-8bae-86845787b54b}" = Nero Vision
"{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = TIPCI
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A460FEA-AF9C-416F-BA6E-EE239609BD1D}" = ATI Catalyst Control Center
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}" = InterVideo DeviceService
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress
"{5A41F810-D0AF-4B50-8F11-C242C76F6D24}" = Nokia Nseries PC Suite
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5d9be3c1-8ba4-4e7e-82fd-9f74fa6815d1}" = Nero Vision
"{5e08ecd1-c98e-4711-bf65-8fd736b3f969}" = Nero RescueAgent Help
"{60c731fb-c951-41ce-ad41-8e54c8594609}" = Nero Disc Copy Gadget Help
"{621025AE-3510-478E-BC27-1A647150976F}" = SPSS 16.0 for Windows
"{62ac81f6-bdd3-4110-9d36-3e9eaab40999}" = Nero CoverDesigner
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76756402-BF1E-4A0F-AFCC-0EE6CF58F58C}" = ESET NOD32 Antivirus
"{7748ac8c-18e3-43bb-959b-088faea16fb2}" = Nero StartSmart
"{77C9FF53-426F-4974-90CB-A43DD0938313}" = Web Camera System
"{77e33d87-255e-413e-9c8d-eed2a7f9bebf}" = Nero Live Help
"{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights
"{7EE94A24-188A-4D98-9018-37857701996E}" = Nokia Photos
"{82C0BCC7-A3ED-4AD9-9C94-6E71CAFC939E}" = Nokia NSeries Application Installer
"{83202942-84b3-4c50-8622-b8c0aa2d2885}" = Nero Express Help
"{85243696-5e58-4357-9cf8-3498c609941d}" = NeroLiveGadget Help
"{869200db-287a-4dc0-b02b-2b6787fbcd4c}" = Nero DiscSpeed
"{89A33B7F-A5C2-4F18-AD71-AC29278507B7}" = Nokia NSeries One Touch Access
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90870373-8351-4F73-B5C1-73A9A01BAAEA}" = Nokia NSeries Content Copier
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{97B21A40-E5B6-4887-9CC4-38FB416A2998}" = Nokia NSeries System Utilities
"{98a67610-a3b5-4098-a423-3708040026d3}" = "Nero SoundTrax Help
"{99A40651-0BC2-4095-8F9A-A40FAB224FEF}" = PC Connectivity Solution
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9e82b934-9a25-445b-b8df-8012808074ac}" = Nero PhotoSnap
"{9e9fdde6-2c26-492a-85a0-05646b3f2795}" = NeroLiveGadget
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{a209525b-3377-43f4-b886-32f6b6e7356f}" = Nero WaveEditor
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AC76BA86-7AD7-1055-7B44-A70000000000}" = Adobe Reader 7.0 - Turkish
"{ACFD4C9A-931B-3CAB-9F72-78FDE810F394}" = Microsoft .NET Framework 3.5 Language Pack SP1 - trk
"{ad6bc5cc-2ef0-49c4-b33d-cdc8b2c4dc80}" = Nero Recode Help
"{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{b78120a0-cf84-4366-a393-4d0a59bc546c}" = Menu Templates - Starter Kit
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3F19A5F-35A8-4FDB-A6ED-0F4CE398DA48}" = Nokia Connectivity Cable Driver
"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = SD Güvenli Modül
"{c5a7cb6c-e76d-408f-ba0e-85605420fe9d}" = SoundTrax
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{cc019e3f-59d2-4486-8d4b-878105b62a71}" = Nero DiscSpeed
"{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}" = Cisco Systems VPN Client 5.0.00.0340
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ce96f5a5-584d-4f8f-aa3e-9baed413db72}" = Nero CoverDesigner Help
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{d025a639-b9c9-417d-8531-208859000af8}" = NeroBurningROM
"{D428D88A-3128-42F2-BC0D-B028A5A43C6F}" = Microsoft .NET Framework 1.1 Turkish Language Pack
"{d9dcf92e-72eb-412d-ac71-3b01276e5f8b}" = Nero ShowTime
"{DF3D3FFC-4404-457E-BA81-77BB7EA6FCF3}" = Mirar
"{df6a95f5-adc1-406a-bdc6-2aa7cc0182aa}" = Nero Live
"{E1674673-0F0D-3D81-B2A0-9842A986C1D6}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - TRK
"{e498385e-1c51-459a-b45f-1721e37aa1a0}" = Movie Templates - Starter Kit
"{e5c7d048-f9b4-4219-b323-8bdb01a2563d}" = Nero DriveSpeed
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{e8631efb-6b9a-426c-b1ce-e7173ca26bf8}" = Nero WaveEditor Help
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{f1861f30-3419-44db-b2a1-c274825698b3}" = Nero Disc Copy Gadget
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{f4041dce-3fe1-4e18-8a9e-9de65231ee36}" = Nero ControlCenter
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{f6bdd7c5-89ed-4569-9318-469aa9732572}" = Nero BurnRights
"{F99F9E24-EE2F-47FD-AEB0-FDB82859B5C9}" = VideoStudio
"{fbcdfd61-7dcf-4e71-9226-873ba0053139}" = Nero InfoTool
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"doPDF 6 printer_is1" = doPDF 6.0 printer
"Driver Checker_is1" = Driver Checker v2.7.2
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ExpressBurn" = Express Burn
"FlashGet" = FlashGet 1.9.6.1073
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"jv16 PowerTools 2009_is1" = jv16 PowerTools 2009
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.7.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 Language Pack SP1 - trk" = Microsoft .NET Framework 3.5 Dil Paketi SP1 - trk
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.9)" = Mozilla Firefox (3.0.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia NSeries Application Installer" = Nokia NSeries Application Installer 6.83.11
"Nokia NSeries Content Copier" = Nokia NSeries Content Copier 6.83.11
"Nokia NSeries One Touch Access" = Nokia NSeries One Touch Access 6.83.11
"Nokia NSeries System Utilities" = Nokia NSeries System Utilities 6.83.11
"Picasa2" = Picasa 2
"PROSet" = Intel® PRO Network Connections Drivers
"Registry Fix_is1" = RegistryFix v7.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The KMPlayer" = The KMPlayer (remove only)
"Titledrome_is1" = Titledrome 3.0
"VLC media player" = VLC media player 0.9.8a
"VobSub" = VobSub v2.23 (Remove Only)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"5f48e2ab41c5d005" = RapidShare Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 24.04.2009 04:36:20 | Computer Name = EPHESUS | Source = WinMgmt | ID = 10
Description = "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct'
OR TargetInstance ISA 'FirewallProduct'" sorgusunu kullanan olay süzgeci, "//./ROOT/SecurityCenter"
ad boşluğunda 0x80041010 hatası nedeniyle etkinleştirilemedi. Sorun giderilinceye
kadar bu süzgeç kullanılarak olaylar alınamaz.

Error - 24.04.2009 04:36:20 | Computer Name = EPHESUS | Source = SecurityCenter | ID = 1804
Description = Windows Güvenlik Merkezi Hizmeti WMI'dan AntiVirusProduct örneklerini
yükleyemedi.

Error - 25.04.2009 10:36:32 | Computer Name = EPHESUS | Source = WinMgmt | ID = 10
Description = "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct'
OR TargetInstance ISA 'FirewallProduct'" sorgusunu kullanan olay süzgeci, "//./ROOT/SecurityCenter"
ad boşluğunda 0x80041010 hatası nedeniyle etkinleştirilemedi. Sorun giderilinceye
kadar bu süzgeç kullanılarak olaylar alınamaz.

Error - 25.04.2009 10:36:32 | Computer Name = EPHESUS | Source = SecurityCenter | ID = 1804
Description = Windows Güvenlik Merkezi Hizmeti WMI'dan AntiVirusProduct örneklerini
yükleyemedi.

Error - 25.04.2009 10:44:05 | Computer Name = EPHESUS | Source = WinMgmt | ID = 10
Description = "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct'
OR TargetInstance ISA 'FirewallProduct'" sorgusunu kullanan olay süzgeci, "//./ROOT/SecurityCenter"
ad boşluğunda 0x80041010 hatası nedeniyle etkinleştirilemedi. Sorun giderilinceye
kadar bu süzgeç kullanılarak olaylar alınamaz.

Error - 25.04.2009 10:44:06 | Computer Name = EPHESUS | Source = SecurityCenter | ID = 1804
Description = Windows Güvenlik Merkezi Hizmeti WMI'dan AntiVirusProduct örneklerini
yükleyemedi.

Error - 25.04.2009 11:19:46 | Computer Name = EPHESUS | Source = Application Hang | ID = 1002
Description = Askıda kalan uygulama firefox.exe, sürüm 1.9.0.3384, askı modülü hungapp,
sürüm 0.0.0.0, askıda kalma adresi 0x00000000.

Error - 25.04.2009 11:59:20 | Computer Name = EPHESUS | Source = Application Error | ID = 1000
Description = Hata uygulaması explorer.exe, sürüm 6.0.2900.5512, hata modülü qedit.dll,
sürümü 6.5.2600.5512, hata adresi 0x0006674c.

Error - 25.04.2009 12:05:35 | Computer Name = EPHESUS | Source = WinMgmt | ID = 10
Description = "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct'
OR TargetInstance ISA 'FirewallProduct'" sorgusunu kullanan olay süzgeci, "//./ROOT/SecurityCenter"
ad boşluğunda 0x80041010 hatası nedeniyle etkinleştirilemedi. Sorun giderilinceye
kadar bu süzgeç kullanılarak olaylar alınamaz.

Error - 25.04.2009 12:05:35 | Computer Name = EPHESUS | Source = SecurityCenter | ID = 1804
Description = Windows Güvenlik Merkezi Hizmeti WMI'dan AntiVirusProduct örneklerini
yükleyemedi.

[ System Events ]
Error - 21.04.2009 17:22:15 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7026
Description = Aşağıdaki önyükleme başlatma ya da sistem başlatma sürücüsü(sürücüleri)
yüklenemedi: IntelIde

Error - 22.04.2009 03:07:26 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 22.04.2009 15:58:55 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 22.04.2009 15:58:58 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7026
Description = Aşağıdaki önyükleme başlatma ya da sistem başlatma sürücüsü(sürücüleri)
yüklenemedi: IntelIde

Error - 23.04.2009 14:00:16 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 24.04.2009 04:36:21 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 25.04.2009 10:36:32 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 25.04.2009 10:36:36 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7026
Description = Aşağıdaki önyükleme başlatma ya da sistem başlatma sürücüsü(sürücüleri)
yüklenemedi: IntelIde

Error - 25.04.2009 10:44:06 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2

Error - 25.04.2009 12:05:35 | Computer Name = EPHESUS | Source = Service Control Manager | ID = 7023
Description = HID Input Service hizmet aşağıdaki hata ile sona erdi: %%2


< End of report >


Thanks very much in advance guys,

Cheers,
xxx

Edited by CatByte, 15 June 2009 - 11:01 AM.

  • 0

Advertisements

#2
CatByte
Posted 25 April 2009 - 10:36 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#3
invinciblebjk
Posted 25 April 2009 - 10:56 AM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
As soon as I clicked Combofix, it made a backup and started scanning/deleting files itself. My laptop seems to be running fine just now, but has it deleted the file? Should I run a virus scan?

Thanks again and I am pasting the log here again:

ComboFix 09-04-25.A1 - xxx xxxxxx 25.04.2009 17:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.3070.2641 [GMT 1:00]
Running from: c:\documents and settings\xxxxxxxx\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\drivers\ovfsthnubsikxewsrngloxetbwwbhqxmskwqxk.sys
c:\windows\system32\ovfsthdthndqnqjjhpvallbryhssxdyjverqob.dll
c:\windows\system32\ovfsthlllbideirthdinmlcbojularfcmerxro.dat
c:\windows\system32\ovfsthojluwicglaxrkbwaxetfncfvkkxbittp.dat
c:\windows\system32\ovfsthovhkriecdfrnqnwefeubpfklqoniyxjk.dll
c:\windows\system32\ovfsthqafupjbxiwewkbuyexthgwjwskoywwra.dll
c:\windows\system32\pthreadGC2.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthxwevmeyqbimrpcdpuybvlrlxfmqjomvu


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 16:39 . 2009-04-25 16:39 -------- d--h--w c:\windows\PIF
2009-04-25 16:12 . 2009-04-25 16:20 -------- d-----w C:\Rooter$
2009-04-25 15:31 . 2009-04-25 15:33 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-04-24 22:20 . 2009-04-24 22:20 -------- d-----w c:\documents and settings\xxx xxxxxx\Application Data\TrojanHunter
2009-04-24 10:16 . 2009-04-25 16:05 -------- d-----w c:\program files\Trojan Remover
2009-04-24 10:02 . 2009-04-25 15:16 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-24 09:58 . 2009-04-24 09:58 102800 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-22 07:09 . 2009-01-09 19:19 1089883 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-21 21:54 . 2009-04-21 21:54 224 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-21 21:51 . 2009-04-22 07:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-21 20:55 . 2009-04-21 20:55 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-21 20:49 . 2009-04-21 20:49 -------- d-----w c:\documents and settings\xxx xxxxxx\Local Settings\Application Data\ESET
2009-04-15 20:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:04 . 2009-03-06 14:20 283136 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:04 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:04 . 2009-02-09 10:52 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:04 . 2009-02-09 10:52 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:04 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:04 . 2009-02-09 10:52 682496 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:04 . 2009-02-09 10:52 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:04 . 2009-02-09 10:52 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:04 . 2009-02-09 10:52 710144 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:03 . 2009-03-27 06:48 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:03 . 2008-04-21 21:15 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\program files\ESET
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-10 21:46 . 2009-04-10 21:49 -------- d-----w c:\program files\The KMPlayer
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\Haali
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\CoreCodec
2009-04-09 14:21 . 2009-04-09 14:21 94360 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-04-09 14:18 . 2009-04-09 14:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 14:10 . 2009-04-09 14:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 16:50 . 2006-01-31 15:19 82308 ----a-w c:\windows\system32\perfc01F.dat
2009-04-25 16:50 . 2006-01-31 15:19 431542 ----a-w c:\windows\system32\perfh01F.dat
2009-04-25 16:20 . 2009-04-25 16:13 2751 ----a-w C:\Rooter.txt
2009-04-25 16:05 . 2009-01-31 16:32 -------- d-----w c:\documents and settings\xxx xxxxx\Application Data\Skype
2009-04-25 16:05 . 2009-01-31 16:53 -------- d-----w c:\documents and settings\xxx xxxxx\Application Data\skypePM
2009-04-25 16:02 . 2008-04-05 09:59 -------- d-----w c:\program files\Lavasoft
2009-04-25 16:00 . 2008-04-02 07:23 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 16:00 . 2008-09-24 13:07 -------- d-----w c:\program files\FlashGet
2009-04-25 15:19 . 2009-03-05 23:51 -------- d-----w c:\documents and settings\xxx xxxxx\Application Data\Eltima Software
2009-04-25 14:51 . 2008-09-22 17:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:43 . 2009-04-24 08:35 900 ----a-w C:\aaw7boot.log
2009-04-25 14:26 . 2008-03-22 10:35 102472 ----a-w c:\documents and settings\xxx xxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:13 . 2009-03-03 11:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 20:55 . 2009-01-21 20:55 50688 --sha-w c:\windows\system32\gitisowe.exe
2009-04-18 17:49 . 2008-05-24 10:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-16 02:03 . 2008-10-12 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 00:46 . 2008-09-22 19:52 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-10 16:41 . 2009-01-23 16:48 -------- d-----w c:\program files\Driver Checker
2009-04-06 14:32 . 2009-03-03 11:10 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-03-03 11:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 13:58 . 2008-04-17 16:05 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-31 16:57 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxx xxxxx\Application Data\dvdcss
2009-03-24 15:53 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxx xxxxx\Application Data\vlc
2009-03-24 15:51 . 2009-03-24 15:51 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:20 . 2006-01-31 15:19 283136 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:25 . 2008-04-10 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 00:05 . 2009-03-06 00:05 -------- d-----w c:\program files\OJOsoft
2009-03-05 19:41 . 2008-03-22 12:57 -------- d-----w c:\program files\Windows Live
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Microsoft
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-05 19:30 . 2009-03-05 19:30 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-03 00:05 . 2006-01-31 15:19 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2009-04-13 00:42 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-28 22:57 . 2009-02-28 22:57 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-28 22:56 . 2009-02-28 22:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-28 22:56 . 2009-02-28 22:56 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-28 20:57 . 2009-02-28 20:57 -------- d-----w c:\program files\EA GAMES
2009-02-28 20:57 . 2006-02-01 07:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 17:08 . 2006-01-31 15:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2006-01-31 15:19 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-04 00:40 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2006-01-31 15:19 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2006-01-31 15:19 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:52 . 2006-01-31 15:19 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:52 . 2006-01-31 15:19 710144 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:52 . 2006-01-31 15:19 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:52 . 2006-01-31 15:19 682496 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2006-01-31 15:19 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 2006-01-31 15:19 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-22 10:39 . 2008-03-22 10:35 132 ----a-w c:\documents and settings\xxx xxxxx\Local Settings\Application Data\fusioncache.dat
2008-12-09 23:01 . 2008-12-09 23:01 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="c:\windows\system32\TDispVol.exe" [2005-09-16 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-24 18081280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
backup=c:\windows\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Nokia Nseries PC Suite.lnk]
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software4u-UpdateServer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\ExportToPowerPoint.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21018:TCP"= 21018:TCP:BitComet 21018 TCP
"21018:UDP"= 21018:UDP:BitComet 21018 UDP
"18829:TCP"= 18829:TCP:BitComet 18829 TCP
"18829:UDP"= 18829:UDP:BitComet 18829 UDP
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"22394:TCP"= 22394:TCP:BitComet 22394 TCP
"22394:UDP"= 22394:UDP:BitComet 22394 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\DRIVERS\camdrv41.sys [2005-09-12 1239552]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
R3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8959a6d4-0da5-11de-8adc-00a0d145bb90}]
\Shell\AutoRun\command - explorer .
\Shell\mobile\command - G:\MobileLaunch.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 09:34]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{DF3D3FFC-4404-457E-BA81-77BB7EA6FCF3} - (no file)
WebBrowser-{DF3D3FFC-4404-457E-BA81-77BB7EA6FCF3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
TCP: {7B6CC36C-1CA7-40D7-8C16-67A546ACC108} = 4.2.2.1
FF - ProfilePath - c:\documents and settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\qlxl1e1p.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1284)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-25 17:52
ComboFix-quarantined-files.txt 2009-04-25 16:52

Pre-Run: 39.503.953.920 bayt boş
Post-Run: 40.129.392.640 bayt boş

233 --- E O F --- 2009-04-22 08:27

Edited by CatByte, 15 June 2009 - 11:03 AM.

  • 0

#4
CatByte
Posted 25 April 2009 - 12:01 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\windows\system32\gitisowe.exe

Folder::
C:\WINDOWS\System32\zulenipe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8959a6d4-0da5-11de-8adc-00a0d145bb90}]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

* Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
* ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
* When finished, it shall produce a log for you.
* Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NOTE: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


NEXT::

Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#5
invinciblebjk
Posted 25 April 2009 - 12:41 PM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Combofix log:

ComboFix 09-04-25.A1 - xxxxxxxxx 25.04.2009 19:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.3070.2146 [GMT 1:00]
Running from: c:\documents and settings\xxxxxxxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\xxxxxxxxxxDesktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\gitisowe.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gitisowe.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 16:39 . 2009-04-25 16:39 -------- d--h--w c:\windows\PIF
2009-04-25 16:12 . 2009-04-25 16:20 -------- d-----w C:\Rooter$
2009-04-25 15:31 . 2009-04-25 15:33 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-04-24 22:20 . 2009-04-24 22:20 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\TrojanHunter
2009-04-24 10:16 . 2009-04-25 16:05 -------- d-----w c:\program files\Trojan Remover
2009-04-24 10:02 . 2009-04-25 15:16 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-24 09:58 . 2009-04-24 09:58 102800 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-22 07:09 . 2009-01-09 19:19 1089883 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-21 21:54 . 2009-04-21 21:54 224 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-21 21:51 . 2009-04-22 07:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-21 20:55 . 2009-04-21 20:55 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-21 20:49 . 2009-04-21 20:49 -------- d-----w c:\documents and settings\xxxxxxxxx\Local Settings\Application Data\ESET
2009-04-15 20:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:04 . 2009-03-06 14:20 283136 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:04 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:04 . 2009-02-09 10:52 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:04 . 2009-02-09 10:52 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:04 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:04 . 2009-02-09 10:52 682496 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:04 . 2009-02-09 10:52 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:04 . 2009-02-09 10:52 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:04 . 2009-02-09 10:52 710144 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:03 . 2009-03-27 06:48 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:03 . 2008-04-21 21:15 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\program files\ESET
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-10 21:46 . 2009-04-10 21:49 -------- d-----w c:\program files\The KMPlayer
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\Haali
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\CoreCodec
2009-04-09 14:21 . 2009-04-09 14:21 94360 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-04-09 14:18 . 2009-04-09 14:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 14:10 . 2009-04-09 14:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 16:53 . 2006-01-31 15:19 82308 ----a-w c:\windows\system32\perfc01F.dat
2009-04-25 16:53 . 2006-01-31 15:19 431542 ----a-w c:\windows\system32\perfh01F.dat
2009-04-25 16:20 . 2009-04-25 16:13 2751 ----a-w C:\Rooter.txt
2009-04-25 16:05 . 2009-01-31 16:32 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\Skype
2009-04-25 16:05 . 2009-01-31 16:53 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\skypePM
2009-04-25 16:02 . 2008-04-05 09:59 -------- d-----w c:\program files\Lavasoft
2009-04-25 16:00 . 2008-04-02 07:23 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 16:00 . 2008-09-24 13:07 -------- d-----w c:\program files\FlashGet
2009-04-25 15:19 . 2009-03-05 23:51 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\Eltima Software
2009-04-25 14:51 . 2008-09-22 17:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:43 . 2009-04-24 08:35 900 ----a-w C:\aaw7boot.log
2009-04-25 14:26 . 2008-03-22 10:35 102472 ----a-w c:\documents and settings\xxxxxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:13 . 2009-03-03 11:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 17:49 . 2008-05-24 10:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-16 02:03 . 2008-10-12 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 00:46 . 2008-09-22 19:52 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-10 16:41 . 2009-01-23 16:48 -------- d-----w c:\program files\Driver Checker
2009-04-06 14:32 . 2009-03-03 11:10 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-03-03 11:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 13:58 . 2008-04-17 16:05 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-31 16:57 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\dvdcss
2009-03-24 15:53 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\vlc
2009-03-24 15:51 . 2009-03-24 15:51 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:20 . 2006-01-31 15:19 283136 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:25 . 2008-04-10 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 00:05 . 2009-03-06 00:05 -------- d-----w c:\program files\OJOsoft
2009-03-05 19:41 . 2008-03-22 12:57 -------- d-----w c:\program files\Windows Live
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Microsoft
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-05 19:30 . 2009-03-05 19:30 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-03 00:05 . 2006-01-31 15:19 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2009-04-13 00:42 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-28 22:57 . 2009-02-28 22:57 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-28 22:56 . 2009-02-28 22:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-28 22:56 . 2009-02-28 22:56 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-28 20:57 . 2009-02-28 20:57 -------- d-----w c:\program files\EA GAMES
2009-02-28 20:57 . 2006-02-01 07:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 17:08 . 2006-01-31 15:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2006-01-31 15:19 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-04 00:40 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2006-01-31 15:19 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2006-01-31 15:19 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:52 . 2006-01-31 15:19 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:52 . 2006-01-31 15:19 710144 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:52 . 2006-01-31 15:19 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:52 . 2006-01-31 15:19 682496 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2006-01-31 15:19 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 2006-01-31 15:19 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-22 10:39 . 2008-03-22 10:35 132 ----a-w c:\documents and settings\xxxxxxxxx\Local Settings\Application Data\fusioncache.dat
2008-12-09 23:01 . 2008-12-09 23:01 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-25_16.50.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-31 15:19 . 2009-04-25 16:50 72238 c:\windows\system32\perfc009.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 72238 c:\windows\system32\perfc009.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 444362 c:\windows\system32\perfh009.dat
- 2006-01-31 15:19 . 2009-04-25 16:50 444362 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="c:\windows\system32\TDispVol.exe" [2005-09-16 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-24 18081280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
backup=c:\windows\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Nokia Nseries PC Suite.lnk]
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\ExportToPowerPoint.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21018:TCP"= 21018:TCP:BitComet 21018 TCP
"21018:UDP"= 21018:UDP:BitComet 21018 UDP
"18829:TCP"= 18829:TCP:BitComet 18829 TCP
"18829:UDP"= 18829:UDP:BitComet 18829 UDP
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"22394:TCP"= 22394:TCP:BitComet 22394 TCP
"22394:UDP"= 22394:UDP:BitComet 22394 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\DRIVERS\camdrv41.sys [2005-09-12 1239552]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
R3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 09:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
TCP: {7B6CC36C-1CA7-40D7-8C16-67A546ACC108} = 4.2.2.1
FF - ProfilePath - c:\documents and settings\xxxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\qlxl1e1p.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 19:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1284)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-25 19:22
ComboFix-quarantined-files.txt 2009-04-25 18:21
ComboFix2.txt 2009-04-25 16:52

Pre-Run: 39.888.281.600 bayt boş
Post-Run: 39.868.207.104 bayt boş

218 --- E O F --- 2009-04-22 08:27


ROOTREPEAL.TXT LOG:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/25 19:25
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\EFEAKA~1\LOCALS~1\Temp\catchme.sys
Address: 0xF77FF000 Size: 31744 File Visible: No
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7677000 Size: 60416 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA92FB000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DF000 Size: 8192 File Visible: No
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xA6EDF000 Size: 6464 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA639D000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{F4A227CB-E445-497E-AD43-963D9C00DA87}\RP382\change.log
Status: Size mismatch (API: 171360, Raw: 170684)

Path: C:\Documents and Settings\xxxxxxxxxx\Local Settings\temp\etilqs_isQoxwQS5dCekqna65VV
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Apps\2.0\VAJCR372.90Z\WNVJHO14.RXZ\manifests\RapidShareManager.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{54433B03-BD56-1536-888E-17620FC2BD4E}\01\10-{54433B03-BD56-1536-888E-17620FC2BD4E}-v1-{E1CDE18D-C24B-4481-8BD4-ABD1C0565D11}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\xxxxxxxxx\Application Data\Macromedia\Flash Player\#SharedObjects\4MQ2P83L\l.yimg.com\cosmos.bcst.yahoo.com\ver\260.0\embed-2008-03-20-0932\swf\yup_embed_module.swf\TestMovie_Config_Info.sol:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x88e87630

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88e86a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88e86e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x88e87460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x88e87280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88e86c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x88e870b0

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a72b280]
Process: System Address: 0x88e85790 Size: -




Thanks again...

Edited by CatByte, 15 June 2009 - 11:08 AM.

  • 0

#6
CatByte
Posted 25 April 2009 - 01:37 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



>>>NEXT<<<


Go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

In your next reply I need

  • MBAM Log
  • Kaspersky report

  • 0

#7
invinciblebjk
Posted 25 April 2009 - 08:08 PM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi again,

Here is my MBAM report:

Malwarebytes' Anti-Malware 1.36
Database version: 2021
Windows 5.1.2600 Service Pack 3

25.04.2009 20:57:25
mbam-log-2009-04-25 (20-57-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174627
Time elapsed: 1 hour(s), 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F4A227CB-E445-497E-AD43-963D9C00DA87}\RP381\A0089918.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4A227CB-E445-497E-AD43-963D9C00DA87}\RP381\A0089920.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F4A227CB-E445-497E-AD43-963D9C00DA87}\RP381\A0089921.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


Here is my Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, April 25, 2009 20:06:28
Records in database: 2078441
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 93129
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:37:00


File name / Threat name / Threats count
C:\System Volume Information\_restore{F4A227CB-E445-497E-AD43-963D9C00DA87}\RP381\A0089919.dll Infected: Trojan.Win32.Tdss.aalc 1

The selected area was scanned.



Thanks again guys!!
  • 0

#8
CatByte
Posted 25 April 2009 - 08:15 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Please rerun the rooter program and the OTListIt2 program that you did in the initial steps, I need to make sure we have deleted the rootkit completely

Thanks

CB
  • 0

#9
invinciblebjk
Posted 25 April 2009 - 08:28 PM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for the fast replies....


Here is the Rooter log:

Microsoft Windows XP Home Edition (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:76065 Mo/Free:850 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

26.04.2009| 3:23

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
---------- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
---------- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
---------- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
---------- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\WINDOWS\system32\PnkBstrB.exe
---------- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
---------- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wscntfy.exe
---------- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
---------- C:\WINDOWS\explorer.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\system32\wbem\wmiapsrv.exe
---------- C:\Program Files\Mozilla Firefox\firefox.exe
---------- C:\Program Files\Java\jre6\bin\java.exe
---------- C:\Documents and Settings\xxxxxxxxx\Local Settings\temp\jkos-xxxxxxxxx\binaries\ScanningProcess.exe
---------- C:\Documents and Settings\xxxxxxxxx\Local Settings\temp\jkos-xxxxxxxxx\binaries\ScanningProcess.exe
---------- C:\WINDOWS\system32\igfxsrvc.exe
---------- C:\Documents and Settings\xxxxxxxxx\Desktop\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV


1 - "C:\Rooter$\Rooter_1.txt" - 25.04.2009|17:13
2 - "C:\Rooter$\Rooter_2.txt" - 25.04.2009|17:20
3 - "C:\Rooter$\Rooter_3.txt" - 26.04.2009| 3:24

----------------------\\ Scan completed at 3:24


Here is the OTList2 Log:



OTListIt logfile created on: 26.04.2009 03:25:21 - Run 3
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\xxxxxxxxx\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 0000041F | Country: Türkiye | Language: TRK | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,84 Gb Available Physical Memory | 91,96% Memory free
4,00 Gb Paging File | 3,67 Gb Available in Paging File | 91,73% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,28 Gb Total Space | 36,83 Gb Free Space | 49,58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EPHESUS
Current User Name: xxxxxxxxxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (InterVideo Inc.)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\WINDOWS\system32\PnkBstrA.exe ()
PRC - C:\WINDOWS\system32\PnkBstrB.exe ()
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Java\jre6\bin\java.exe (Sun Microsystems, Inc.)
PRC - C:\Documents and Settings\xxxxxxxxxx\Local Settings\temp\jkos-xxxxxxxxxx\binaries\ScanningProcess.exe (Kaspersky Lab.)
PRC - C:\Documents and Settings\xxxxxxxxx\Local Settings\temp\jkos-xxxxxxxxx\binaries\ScanningProcess.exe (Kaspersky Lab.)
PRC - C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Documents and Settings\xxxxxxxxxx\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Capture Device Service [Auto | Running]) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (InterVideo Inc.)
SRV - (CFSvcs [Auto | Running]) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (EvtEng [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (Nero BackItUp Scheduler 4.0 [Auto | Running]) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PnkBstrA [Auto | Running]) -- C:\WINDOWS\system32\PnkBstrA.exe ()
SRV - (PnkBstrB [Auto | Running]) -- C:\WINDOWS\system32\PnkBstrB.exe ()
SRV - (RegSrvc [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (S24EventMonitor [Auto | Running]) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (ServiceLayer [On_Demand | Stopped]) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (TAPPSRV [Auto | Running]) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
SRV - (UleadBurningHelper [Auto | Running]) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (Ulead Systems, Inc.)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (AgereSoftModem [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (camvid40 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\camdrv41.sys (Philips Consumer Electronics)
DRV - (catchme [Disabled | Running]) -- File not found
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DLABOIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLACDBHM [System | Running]) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLADResN [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLAIFS_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLAOPIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLARTL_N [System | Running]) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DLAUDFAM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (DRVMCDB [Boot | Running]) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DRVNDDM [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\eamon.sys (ESET)
DRV - (ehdrv [System | Running]) -- C:\WINDOWS\system32\DRIVERS\ehdrv.sys (ESET)
DRV - (epfwtdir [System | Running]) -- C:\WINDOWS\system32\DRIVERS\epfwtdir.sys (ESET)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (lusbaudio [System | Stopped]) -- C:\WINDOWS\system32\drivers\OVSound2.sys (Microsoft Corporation)
DRV - (Netdevio [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\netdevio.sys (TOSHIBA Corporation.)
DRV - (NETw5x32 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NETw5x32.sys (Intel Corporation)
DRV - (nmwcd [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (nmwcdc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcdnsu [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdnsuc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (NuidFltr [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\NuidFltr.sys (Microsoft Corporation)
DRV - (PnkBstrK [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\PnkBstrK.sys ()
DRV - (Point32 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\point32.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (QCAbsee [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\OVCA.sys (Microsoft Corporation)
DRV - (ROOTMODEM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\RootMdm.sys (Microsoft Corporation)
DRV - (s24trans [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys (Intel Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SynTP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (tifm21 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (toshidpt [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\Toshidpt.sys (TOSHIBA Corporation.)
DRV - (tosporte [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Corporation)
DRV - (Tosrfbd [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfbnp [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (Tosrfcom [System | Running]) -- C:\WINDOWS\System32\Drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (tosrfec [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfec.sys (TOSHIBA Corporation)
DRV - (Tosrfhid [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (tosrfnds [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (TosRfSnd [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\TosRfSnd.sys (TOSHIBA Corporation)
DRV - (Tosrfusb [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (TVALD [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\NBSMI.sys (Toshiba Corporation)
DRV - (Tvs [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Tvs.sys (TOSHIBA Corporation)
DRV - (upperdev [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys (Windows ® Codename Longhorn DDK provider)
DRV - (usbaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (usbser [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbser.sys (Microsoft Corporation)
DRV - (UsbserFilt [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys (Windows ® Codename Longhorn DDK provider)
DRV - (vsdatant [On_Demand | Stopped]) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC)
DRV - (w39n51 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\w39n51.sys (Intel® Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.google.co.uk"
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.8.6
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102
FF - prefs.js..extensions.enabledItems: {19D6F1AB-D724-41EA-97CA-0758E16D12B7}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.9
FF - prefs.js..extensions.enabledItems: {36C13C8F-54F1-412e-8177-2E411719162D}:3.3.7

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009.04.21 23:07:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009.04.25 20:06:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009.04.25 15:49:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009.04.25 19:54:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\MOZILLA THUNDERBIRD

[2008.09.14 14:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxx\Application Data\mozilla\Extensions
[2008.09.14 14:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxxx\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009.04.25 20:08:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions
[2009.04.22 08:14:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009.02.01 16:04:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\xxxxxxxxxx\Application Data\mozilla\Firefox\Profiles\qlxl1e1p.default\extensions\{36C13C8F-54F1-412e-8177-2E411719162D}
[2009.04.25 23:16:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009.04.21 21:50:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{19D6F1AB-D724-41EA-97CA-0758E16D12B7}
[2009.04.23 19:01:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009.01.31 17:52:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2009.04.25 20:07:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009.04.23 19:01:05 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009.04.23 19:01:05 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008.01.04 16:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006.07.05 19:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008.01.04 16:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008.03.08 10:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008.11.14 18:58:45 | 00,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008.04.16 05:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008.03.28 19:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008.01.04 16:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

Hosts file not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TDispVol] "C:\WINDOWS\system32\TDispVol.exe" (TOSHIBA Corporation)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([update] https in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([windowsupdate] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: microsoft.com ([www.update] http in Güvenilen siteler)
O15 - HKCU\..Trusted Sites: windowsupdate.com ([]http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Güvenilen siteler)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1206185325921 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1206186201843 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{7B6CC36C-1CA7-40D7-8C16-67A546ACC108}\\NameServer = 4.2.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Geçerli Giriş Sayfam) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009.04.25 20:57:39 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\jrox.sys
[2009.04.25 19:37:09 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009.04.25 19:24:54 | 00,000,000 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\settings.dat
[2009.04.25 19:22:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009.04.25 19:17:54 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009.04.25 19:17:30 | 00,446,464 | ---- | C] ( ) -- C:\DOCUME~1\EFEAKA~1\Desktop\RootRepeal.exe
[2009.04.25 19:09:13 | 96,675,960 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\VCDP.avi
[2009.04.25 17:57:26 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Virus loglar
[2009.04.25 17:42:55 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009.04.25 17:42:55 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009.04.25 17:42:55 | 00,109,568 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009.04.25 17:42:55 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009.04.25 17:42:55 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009.04.25 17:42:55 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009.04.25 17:42:55 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009.04.25 17:42:54 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009.04.25 17:42:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009.04.25 17:42:47 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009.04.25 17:42:30 | 03,005,109 | R--- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\ComboFix.exe
[2009.04.25 17:39:25 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009.04.25 17:17:29 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\EFEAKA~1\Desktop\OTListIt2.exe
[2009.04.25 17:12:48 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009.04.25 17:12:43 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Rooter.exe
[2009.04.25 16:31:08 | 00,000,000 | ---D | C] -- C:\Program Files\jv16 PowerTools 2009
[2009.04.25 15:24:44 | 00,051,200 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\October 19 The Poisson Event Count Model.doc
[2009.04.24 23:20:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxxx\Application Data\TrojanHunter
[2009.04.24 11:16:25 | 00,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2009.04.24 11:02:01 | 00,059,392 | R--- | C] () -- C:\WINDOWS\System32\streamhlp.dll
[2009.04.24 11:02:01 | 00,000,000 | ---D | C] -- C:\Program Files\TrojanHunter 5.0
[2009.04.24 10:58:22 | 00,102,800 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009.04.23 23:44:25 | 00,000,867 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Ad-Aware.lnk
[2009.04.22 08:09:09 | 01,089,883 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009.04.21 22:54:20 | 00,000,224 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.04.21 22:51:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009.04.21 21:49:29 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\ESET
[2009.04.21 20:39:37 | 36,687,6914 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\heroes.s03e24.hdtv.xvid-fqm.www.divxkurdu.com.DvX-TeaM.avi
[2009.04.18 16:56:10 | 00,139,895 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Grob-From_the_Dagger_to_the_Bomb.pdf
[2009.04.18 15:11:32 | 00,444,692 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\477.pdf
[2009.04.18 12:22:25 | 00,275,475 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\WP12.pdf
[2009.04.18 12:17:30 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Research Design
[2009.04.15 21:05:00 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009.04.15 21:04:53 | 00,283,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009.04.15 21:04:53 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009.04.15 21:04:52 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009.04.15 21:04:51 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009.04.15 21:04:51 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe
[2009.04.15 21:04:49 | 00,682,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009.04.15 21:04:48 | 00,728,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009.04.15 21:04:48 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009.04.15 21:04:47 | 00,710,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009.04.15 21:03:14 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009.04.15 21:03:13 | 00,216,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009.04.14 12:34:26 | 11,735,11499 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Heroes.S03E23.720p.HDTV.X264-DIMENSION.mkv
[2009.04.13 16:03:36 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\RM
[2009.04.13 11:22:25 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Research Methods
[2009.04.13 01:50:44 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009.04.13 01:50:44 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Application Data\ESET
[2009.04.13 01:42:24 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009.04.13 01:42:21 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.04.13 01:42:20 | 00,839,680 | ---- | C] (http://www.mp3dev.org/) -- C:\WINDOWS\System32\lameACM.acm
[2009.04.13 01:42:20 | 00,000,414 | ---- | C] () -- C:\WINDOWS\System32\lame_acm.xml
[2009.04.13 01:42:19 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.04.13 01:42:19 | 00,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.04.13 01:42:19 | 00,217,088 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2009.04.13 01:42:19 | 00,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.04.13 01:42:19 | 00,118,784 | ---- | C] (fccHandler) -- C:\WINDOWS\System32\ac3acm.acm
[2009.04.13 01:42:19 | 00,086,016 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\dpl100.dll
[2009.04.13 01:42:17 | 00,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.04.13 01:42:17 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\xxxxxxxxx\Application Data\Real
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\Real
[2009.04.13 01:42:15 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\Application Data\Real
[2009.04.10 22:49:06 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\The KMPlayer
[2009.04.10 22:47:10 | 00,000,710 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\KMPlayer.lnk
[2009.04.10 22:46:57 | 00,000,000 | ---D | C] -- C:\Program Files\The KMPlayer
[2009.04.10 22:40:18 | 00,000,000 | ---D | C] -- C:\Program Files\Haali
[2009.04.10 22:40:06 | 00,000,000 | ---D | C] -- C:\Program Files\CoreCodec
[2009.04.10 13:42:42 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\UN simulation
[2009.04.09 15:21:12 | 00,094,360 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2009.04.09 15:18:02 | 00,107,256 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\ehdrv.sys
[2009.04.09 15:10:30 | 00,113,960 | ---- | C] (ESET) -- C:\WINDOWS\System32\drivers\eamon.sys
[2009.04.06 14:26:42 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Tekne Fotolar
[2009.04.05 13:52:46 | 00,044,498 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\one.flew.over.the.cuckoos.nest.(1975).eng.1cd.(3373253).zip
[2009.04.04 16:56:15 | 00,104,848 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\PMch1.pdf
[2009.04.03 18:36:33 | 59,071,765 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Duman-En_Guzel_Gunum_Gecem-2007.rar
[2009.04.03 00:42:39 | 00,300,540 | ---- | C] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\hydroptere_2_582.jpg
[2009.03.31 12:56:19 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Desktop\Terrorism Essay- Yes We Can
[2009.03.30 19:35:29 | 00,000,000 | ---D | C] -- C:\DOCUME~1\EFEAKA~1\Belgelerim\My Received Files
[2009.02.28 23:57:18 | 00,140,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009.01.23 17:54:35 | 00,015,504 | ---- | C] () -- C:\WINDOWS\System32\msdx92.dll
[2009.01.14 10:22:27 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2009.01.14 10:22:27 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2009.01.14 10:22:27 | 00,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2009.01.14 10:07:23 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009.01.14 10:07:23 | 00,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2008.12.30 15:52:50 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008.12.24 14:39:42 | 00,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008.06.25 22:22:48 | 00,308,736 | R--- | C] () -- C:\WINDOWS\System32\fpxlib.dll
[2008.06.25 22:22:48 | 00,091,136 | R--- | C] () -- C:\WINDOWS\System32\jpeglib.dll
[2008.05.23 07:48:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008.05.23 07:35:50 | 00,000,098 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2008.05.11 08:45:55 | 00,000,145 | ---- | C] () -- C:\WINDOWS\PR1V2.INI
[2007.04.03 16:18:26 | 00,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007.04.03 16:18:06 | 00,193,576 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2006.02.01 11:19:14 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006.02.01 11:08:10 | 00,000,466 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2006.02.01 10:55:30 | 00,000,744 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.02.01 10:42:00 | 00,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006.02.01 10:38:07 | 00,210,456 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006.02.01 10:38:07 | 00,206,360 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006.02.01 10:38:07 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006.02.01 10:38:07 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006.02.01 10:38:07 | 00,194,072 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006.02.01 10:38:07 | 00,026,136 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006.02.01 10:33:55 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\TDispVol.dll
[2006.02.01 10:30:55 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006.02.01 10:30:39 | 00,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006.02.01 10:30:39 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006.02.01 09:27:24 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006.02.01 09:27:24 | 00,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[2006.02.01 09:15:17 | 00,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006.02.01 09:15:17 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006.02.01 09:15:17 | 00,010,174 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006.02.01 09:15:17 | 00,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006.01.31 16:20:04 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2006.01.31 16:20:04 | 00,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006.01.31 16:19:42 | 00,000,668 | ---- | C] () -- C:\WINDOWS\win.ini
[2006.01.31 16:19:39 | 00,000,827 | ---- | C] () -- C:\WINDOWS\system.ini
[2005.11.29 04:33:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005.09.02 13:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005.07.22 20:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004.07.20 16:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004.04.05 14:08:36 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\ChtCodec.dll
[2004.01.15 13:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2004.01.14 02:46:00 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

========== Files - Modified Within 30 Days ==========

[1 C:\*.tmp files]
[4 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009.04.25 20:57:39 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\jrox.sys
[2009.04.25 19:24:54 | 00,000,000 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\settings.dat
[2009.04.25 19:22:15 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009.04.25 19:20:33 | 00,000,827 | ---- | M] () -- C:\WINDOWS\system.ini
[2009.04.25 17:53:59 | 01,043,700 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009.04.25 17:53:59 | 00,444,362 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009.04.25 17:53:59 | 00,431,542 | ---- | M] () -- C:\WINDOWS\System32\perfh01F.dat
[2009.04.25 17:53:59 | 00,082,308 | ---- | M] () -- C:\WINDOWS\System32\perfc01F.dat
[2009.04.25 17:53:59 | 00,072,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009.04.25 17:45:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009.04.25 17:45:44 | 32,191,81568 | -HS- | M] () -- C:\hiberfil.sys
[2009.04.25 17:42:34 | 03,005,109 | R--- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\ComboFix.exe
[2009.04.25 17:17:30 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\EFEAKA~1\Desktop\OTListIt2.exe
[2009.04.25 17:12:43 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Rooter.exe
[2009.04.25 16:59:13 | 00,195,584 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.04.25 15:26:36 | 00,102,472 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009.04.25 15:24:44 | 00,051,200 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\October 19 The Poisson Event Count Model.doc
[2009.04.25 12:53:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009.04.24 11:02:05 | 00,059,392 | R--- | M] () -- C:\WINDOWS\System32\streamhlp.dll
[2009.04.24 10:58:22 | 00,102,800 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009.04.23 23:44:25 | 00,000,867 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Ad-Aware.lnk
[2009.04.22 08:06:58 | 00,368,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009.04.21 23:31:56 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009.04.21 22:54:20 | 00,000,224 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2009.04.21 22:27:50 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009.04.21 22:10:24 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\zulenipe
[2009.04.21 09:58:08 | 00,109,568 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009.04.20 23:42:55 | 36,687,6914 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\heroes.s03e24.hdtv.xvid-fqm.www.divxkurdu.com.DvX-TeaM.avi
[2009.04.19 18:03:52 | 00,002,433 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\VPN Client.lnk
[2009.04.18 16:56:10 | 00,139,895 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Grob-From_the_Dagger_to_the_Bomb.pdf
[2009.04.18 16:55:51 | 00,444,692 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\477.pdf
[2009.04.18 12:22:25 | 00,275,475 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\WP12.pdf
[2009.04.13 21:18:00 | 00,000,478 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009.04.13 21:16:48 | 11,735,11499 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Heroes.S03E23.720p.HDTV.X264-DIMENSION.mkv
[2009.04.10 22:47:10 | 00,000,710 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\KMPlayer.lnk
[2009.04.09 15:21:12 | 00,094,360 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2009.04.09 15:18:02 | 00,107,256 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\ehdrv.sys
[2009.04.09 15:10:30 | 00,113,960 | ---- | M] (ESET) -- C:\WINDOWS\System32\drivers\eamon.sys
[2009.04.06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009.04.06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009.04.05 13:52:46 | 00,044,498 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\one.flew.over.the.cuckoos.nest.(1975).eng.1cd.(3373253).zip
[2009.04.04 16:56:16 | 00,104,848 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\PMch1.pdf
[2009.04.03 18:37:16 | 59,071,765 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\Duman-En_Guzel_Gunum_Gecem-2007.rar
[2009.04.03 00:42:40 | 00,300,540 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\hydroptere_2_582.jpg
[2009.04.02 11:33:00 | 00,184,958 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Belgelerim\OC.jpg
[2009.03.27 12:45:56 | 00,015,817 | ---- | M] () -- C:\DOCUME~1\EFEAKA~1\Desktop\Yeni Microsoft Office Word Document.docx
[2009.03.27 07:48:52 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb

========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:CD060F93
@Alternate Data Stream - 124 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:CB0AACC9
@Alternate Data Stream - 118 bytes -> C:\DOCUME~1\ALLUSE~1\Application Data\TEMP:5BB923A2
< End of report >

Edited by CatByte, 15 June 2009 - 11:11 AM.

  • 0

#10
CatByte
Posted 25 April 2009 - 08:46 PM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

there appears to be some registry keys with the entries remaining so lets see if we can find them all

please do the following:

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a number of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

  • Post the contents of GMER.txt in your next reply.

  • 0

Advertisements

#11
invinciblebjk
Posted 26 April 2009 - 08:48 AM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks for everything CatByte... ESET NOD32 no longer gives me the ODG Trojan detection; however, every time I search for a rapidshare file or a pdf file for my lectures, I get directed into a downloadable ".exe" file...

Not sure if this virus is totally cleanable/removable...

I do not really want to format my laptop...

Here is the GMER Log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-26 15:44:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 88BD3630 ZwAssignProcessToJobObject
SSDT 88BD2A60 ZwOpenProcess
SSDT 88BD2E80 ZwOpenThread
SSDT 88BD3460 ZwSuspendProcess
SSDT 88BD3280 ZwSuspendThread
SSDT 88BD2C90 ZwTerminateProcess
SSDT 88BD30B0 ZwTerminateThread

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[416] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:676] 88BD1790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes

---- EOF - GMER 1.0.15 ----
  • 0

#12
CatByte
Posted 26 April 2009 - 09:44 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

RootKit::
C:\WINDOWSsystem32\drivers\TDSSserv.sys

Registry::
[-HKLM\SYSTEM\ControlSet001\Services\TDSSserv]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

* Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
* ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
* When finished, it shall produce a log for you.
* Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NOTE: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by CatByte, 26 April 2009 - 12:40 PM.

  • 0

#13
invinciblebjk
Posted 26 April 2009 - 10:07 AM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi again,

here is my log for Combofix:

ComboFix 09-04-25.A3 - xxxxxxxxx 26.04.2009 16:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.3070.2319 [GMT 1:00]
Running from: c:\documents and settings\xxxxxxxxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\xxxxxxxxxx\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 18:54 . 2009-04-25 19:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-25 16:39 . 2009-04-25 16:39 -------- d--h--w c:\windows\PIF
2009-04-25 16:12 . 2009-04-26 02:24 -------- d-----w C:\Rooter$
2009-04-25 15:31 . 2009-04-25 15:33 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-04-24 22:20 . 2009-04-24 22:20 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\TrojanHunter
2009-04-24 10:16 . 2009-04-25 16:05 -------- d-----w c:\program files\Trojan Remover
2009-04-24 10:02 . 2009-04-25 15:16 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-24 09:58 . 2009-04-24 09:58 102800 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-22 07:09 . 2009-01-09 19:19 1089883 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-21 21:54 . 2009-04-21 21:54 224 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-21 21:51 . 2009-04-22 07:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-21 20:55 . 2009-04-21 20:55 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-21 20:49 . 2009-04-21 20:49 -------- d-----w c:\documents and settings\xxxxxxxxxx\Local Settings\Application Data\ESET
2009-04-15 20:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:04 . 2009-03-06 14:20 283136 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:04 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:04 . 2009-02-09 10:52 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:04 . 2009-02-09 10:52 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:04 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:04 . 2009-02-09 10:52 682496 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:04 . 2009-02-09 10:52 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:04 . 2009-02-09 10:52 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:04 . 2009-02-09 10:52 710144 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:03 . 2009-03-27 06:48 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:03 . 2008-04-21 21:15 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\program files\ESET
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-10 21:46 . 2009-04-10 21:49 -------- d-----w c:\program files\The KMPlayer
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\Haali
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\CoreCodec
2009-04-09 14:21 . 2009-04-09 14:21 94360 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-04-09 14:18 . 2009-04-09 14:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 14:10 . 2009-04-09 14:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 16:00 . 2009-01-31 16:32 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\Skype
2009-04-26 12:47 . 2009-01-31 16:53 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\skypePM
2009-04-26 02:24 . 2009-04-25 16:13 2994 ----a-w C:\Rooter.txt
2009-04-25 19:06 . 2006-01-31 14:50 -------- d-----w c:\program files\Java
2009-04-25 16:53 . 2006-01-31 15:19 82308 ----a-w c:\windows\system32\perfc01F.dat
2009-04-25 16:53 . 2006-01-31 15:19 431542 ----a-w c:\windows\system32\perfh01F.dat
2009-04-25 16:02 . 2008-04-05 09:59 -------- d-----w c:\program files\Lavasoft
2009-04-25 16:00 . 2008-04-02 07:23 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 16:00 . 2008-09-24 13:07 -------- d-----w c:\program files\FlashGet
2009-04-25 15:19 . 2009-03-05 23:51 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\Eltima Software
2009-04-25 14:51 . 2008-09-22 17:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:43 . 2009-04-24 08:35 900 ----a-w C:\aaw7boot.log
2009-04-25 14:26 . 2008-03-22 10:35 102472 ----a-w c:\documents and settings\xxxxxxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:13 . 2009-03-03 11:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 17:49 . 2008-05-24 10:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-16 02:03 . 2008-10-12 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 00:46 . 2008-09-22 19:52 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-10 16:41 . 2009-01-23 16:48 -------- d-----w c:\program files\Driver Checker
2009-04-06 14:32 . 2009-03-03 11:10 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-03-03 11:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 13:58 . 2008-04-17 16:05 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-31 16:57 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\dvdcss
2009-03-24 15:53 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\vlc
2009-03-24 15:51 . 2009-03-24 15:51 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:20 . 2006-01-31 15:19 283136 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:25 . 2008-04-10 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 00:05 . 2009-03-06 00:05 -------- d-----w c:\program files\OJOsoft
2009-03-05 19:41 . 2008-03-22 12:57 -------- d-----w c:\program files\Windows Live
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Microsoft
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-05 19:30 . 2009-03-05 19:30 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-03 00:05 . 2006-01-31 15:19 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2009-04-13 00:42 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-28 22:57 . 2009-02-28 22:57 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-28 22:56 . 2009-02-28 22:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-28 22:56 . 2009-02-28 22:56 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-28 20:57 . 2009-02-28 20:57 -------- d-----w c:\program files\EA GAMES
2009-02-28 20:57 . 2006-02-01 07:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 17:08 . 2006-01-31 15:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2006-01-31 15:19 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-04 00:40 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2006-01-31 15:19 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2006-01-31 15:19 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:52 . 2006-01-31 15:19 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:52 . 2006-01-31 15:19 710144 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:52 . 2006-01-31 15:19 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:52 . 2006-01-31 15:19 682496 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2006-01-31 15:19 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 2006-01-31 15:19 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-22 10:39 . 2008-03-22 10:35 132 ----a-w c:\documents and settings\xxxxxxxxx\Local Settings\Application Data\fusioncache.dat
2008-12-09 23:01 . 2008-12-09 23:01 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-25_16.50.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 16:00 . 2009-04-26 16:00 16384 c:\windows\temp\Perflib_Perfdata_3d4.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 72238 c:\windows\system32\perfc009.dat
- 2006-01-31 15:19 . 2009-04-25 16:50 72238 c:\windows\system32\perfc009.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 444362 c:\windows\system32\perfh009.dat
- 2006-01-31 15:19 . 2009-04-25 16:50 444362 c:\windows\system32\perfh009.dat
+ 2009-04-25 19:07 . 2009-04-25 19:06 148888 c:\windows\system32\javaws.exe
+ 2009-04-25 19:07 . 2009-04-25 19:06 144792 c:\windows\system32\javaw.exe
+ 2009-04-25 19:07 . 2009-04-25 19:06 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="c:\windows\system32\TDispVol.exe" [2005-09-16 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-24 18081280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
backup=c:\windows\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Nokia Nseries PC Suite.lnk]
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\ExportToPowerPoint.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21018:TCP"= 21018:TCP:BitComet 21018 TCP
"21018:UDP"= 21018:UDP:BitComet 21018 UDP
"18829:TCP"= 18829:TCP:BitComet 18829 TCP
"18829:UDP"= 18829:UDP:BitComet 18829 UDP
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"22394:TCP"= 22394:TCP:BitComet 22394 TCP
"22394:UDP"= 22394:UDP:BitComet 22394 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
R3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\DRIVERS\camdrv41.sys [2005-09-12 1239552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 09:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
TCP: {7B6CC36C-1CA7-40D7-8C16-67A546ACC108} = 4.2.2.1
FF - ProfilePath - c:\documents and settings\xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\qlxl1e1p.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(228)
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-04-26 17:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 16:05
ComboFix2.txt 2009-04-25 18:22
ComboFix3.txt 2009-04-25 16:52

Pre-Run: 39.668.740.096 bayt boş
Post-Run: 39.720.910.848 bayt boş

248 --- E O F --- 2009-04-22 08:27

Edited by CatByte, 15 June 2009 - 11:14 AM.

  • 0

#14
CatByte
Posted 26 April 2009 - 10:26 AM

CatByte

    GeekU Teacher

  • GeekU Moderator
  • 2,705 posts
  • MVP
Hi,

I must apologize I made a slight syntax error in that last fix:

I have to ask you to do it again with the corrected syntax...thanks


please do this:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

RootKit::
C:\WINDOWS\system32\drivers\TDSSserv.sys

Registry::
[-HKLM\SYSTEM\ControlSet001\Services\TDSSserv]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

* Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
* ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
* When finished, it shall produce a log for you.
* Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NOTE: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by CatByte, 26 April 2009 - 12:41 PM.

  • 0

#15
invinciblebjk
Posted 26 April 2009 - 10:55 AM

invinciblebjk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hi Catbyte,

Combofix log again:

ComboFix 09-04-25.A3 - xxxxxxxxxx 26.04.2009 17:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.3070.2389 [GMT 1:00]
Running from: c:\documents and settings\xxxxxxxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\xxxxxxxxx\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 18:54 . 2009-04-25 19:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-25 16:39 . 2009-04-25 16:39 -------- d--h--w c:\windows\PIF
2009-04-25 16:12 . 2009-04-26 02:24 -------- d-----w C:\Rooter$
2009-04-25 15:31 . 2009-04-25 15:33 -------- d-----w c:\program files\jv16 PowerTools 2009
2009-04-24 22:20 . 2009-04-24 22:20 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\TrojanHunter
2009-04-24 10:16 . 2009-04-25 16:05 -------- d-----w c:\program files\Trojan Remover
2009-04-24 10:02 . 2009-04-25 15:16 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-24 09:58 . 2009-04-24 09:58 102800 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-22 07:09 . 2009-01-09 19:19 1089883 -c----w c:\windows\system32\dllcache\ntprint.cat
2009-04-21 21:54 . 2009-04-21 21:54 224 ----a-w c:\windows\system32\spupdsvc.inf
2009-04-21 21:51 . 2009-04-22 07:06 -------- d-----w c:\windows\SxsCaPendDel
2009-04-21 20:55 . 2009-04-21 20:55 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-04-21 20:49 . 2009-04-21 20:49 -------- d-----w c:\documents and settings\xxxxxxxxxx\Local Settings\Application Data\ESET
2009-04-15 20:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:04 . 2009-03-06 14:20 283136 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:04 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 20:04 . 2009-02-09 10:52 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:04 . 2009-02-09 10:52 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:04 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 20:04 . 2009-02-09 10:52 682496 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:04 . 2009-02-09 10:52 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:04 . 2009-02-09 10:52 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:04 . 2009-02-09 10:52 710144 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:03 . 2009-03-27 06:48 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:03 . 2008-04-21 21:15 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\program files\ESET
2009-04-13 00:50 . 2009-04-13 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-10 21:46 . 2009-04-10 21:49 -------- d-----w c:\program files\The KMPlayer
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\Haali
2009-04-10 21:40 . 2009-04-10 21:40 -------- d-----w c:\program files\CoreCodec
2009-04-09 14:21 . 2009-04-09 14:21 94360 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-04-09 14:18 . 2009-04-09 14:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 14:10 . 2009-04-09 14:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 16:45 . 2009-01-31 16:32 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\Skype
2009-04-26 12:47 . 2009-01-31 16:53 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\skypePM
2009-04-26 02:24 . 2009-04-25 16:13 2994 ----a-w C:\Rooter.txt
2009-04-25 19:06 . 2006-01-31 14:50 -------- d-----w c:\program files\Java
2009-04-25 16:53 . 2006-01-31 15:19 82308 ----a-w c:\windows\system32\perfc01F.dat
2009-04-25 16:53 . 2006-01-31 15:19 431542 ----a-w c:\windows\system32\perfh01F.dat
2009-04-25 16:02 . 2008-04-05 09:59 -------- d-----w c:\program files\Lavasoft
2009-04-25 16:00 . 2008-04-02 07:23 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 16:00 . 2008-09-24 13:07 -------- d-----w c:\program files\FlashGet
2009-04-25 15:19 . 2009-03-05 23:51 -------- d-----w c:\documents and settings\xxxxxxxx\Application Data\Eltima Software
2009-04-25 14:51 . 2008-09-22 17:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 14:43 . 2009-04-24 08:35 900 ----a-w C:\aaw7boot.log
2009-04-25 14:26 . 2008-03-22 10:35 102472 ----a-w c:\documents and settings\xxxxxxxxx\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:13 . 2009-03-03 11:10 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 17:49 . 2008-05-24 10:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-16 02:03 . 2008-10-12 18:23 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 00:46 . 2008-09-22 19:52 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-10 16:41 . 2009-01-23 16:48 -------- d-----w c:\program files\Driver Checker
2009-04-06 14:32 . 2009-03-03 11:10 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-03-03 11:10 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 13:58 . 2008-04-17 16:05 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-31 16:57 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxx\Application Data\dvdcss
2009-03-24 15:53 . 2009-03-24 15:52 -------- d-----w c:\documents and settings\xxxxxxxxxx\Application Data\vlc
2009-03-24 15:51 . 2009-03-24 15:51 -------- d-----w c:\program files\VideoLAN
2009-03-06 14:20 . 2006-01-31 15:19 283136 ----a-w c:\windows\system32\pdh.dll
2009-03-06 00:25 . 2008-04-10 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-06 00:05 . 2009-03-06 00:05 -------- d-----w c:\program files\OJOsoft
2009-03-05 19:41 . 2008-03-22 12:57 -------- d-----w c:\program files\Windows Live
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Microsoft
2009-03-05 19:36 . 2009-03-05 19:36 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-05 19:30 . 2009-03-05 19:30 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-03 00:05 . 2006-01-31 15:19 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 18:10 . 2009-04-13 00:42 67584 ----a-w c:\windows\system32\ff_vfw.dll
2009-02-28 22:57 . 2009-02-28 22:57 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-28 22:56 . 2009-02-28 22:56 201352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-28 22:56 . 2009-02-28 22:56 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-28 20:57 . 2009-02-28 20:57 -------- d-----w c:\program files\EA GAMES
2009-02-28 20:57 . 2006-02-01 07:12 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-20 17:08 . 2006-01-31 15:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2006-01-31 15:19 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-04 00:40 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2006-01-31 15:19 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2006-01-31 15:19 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:52 . 2006-01-31 15:19 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:52 . 2006-01-31 15:19 710144 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:52 . 2006-01-31 15:19 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:52 . 2006-01-31 15:19 682496 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 19:03 . 2009-02-06 19:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2006-01-31 15:19 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 2006-01-31 15:19 56832 ----a-w c:\windows\system32\secur32.dll
2008-03-22 10:39 . 2008-03-22 10:35 132 ----a-w c:\documents and settings\xxxxxxxxxx\Local Settings\Application Data\fusioncache.dat
2008-12-09 23:01 . 2008-12-09 23:01 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-25_16.50.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 16:45 . 2009-04-26 16:45 16384 c:\windows\temp\Perflib_Perfdata_3ac.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 72238 c:\windows\system32\perfc009.dat
- 2006-01-31 15:19 . 2009-04-25 16:50 72238 c:\windows\system32\perfc009.dat
+ 2006-01-31 15:19 . 2009-04-25 16:53 444362 c:\windows\system32\perfh009.dat
- 2006-01-31 15:19 . 2009-04-25 16:50 444362 c:\windows\system32\perfh009.dat
+ 2009-04-25 19:07 . 2009-04-25 19:06 148888 c:\windows\system32\javaws.exe
+ 2009-04-25 19:07 . 2009-04-25 19:06 144792 c:\windows\system32\javaw.exe
+ 2009-04-25 19:07 . 2009-04-25 19:06 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="c:\windows\system32\TDispVol.exe" [2005-09-16 73728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-25 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-24 18081280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
backup=c:\windows\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Nokia Nseries PC Suite.lnk]
backup=c:\windows\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"c:\\Program Files\\SPSSInc\\SPSS16\\ExportToPowerPoint.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21018:TCP"= 21018:TCP:BitComet 21018 TCP
"21018:UDP"= 21018:UDP:BitComet 21018 UDP
"18829:TCP"= 18829:TCP:BitComet 18829 TCP
"18829:UDP"= 18829:UDP:BitComet 18829 UDP
"60000:TCP"= 60000:TCP:BitComet 60000 TCP
"60000:UDP"= 60000:UDP:BitComet 60000 UDP
"22394:TCP"= 22394:TCP:BitComet 22394 TCP
"22394:UDP"= 22394:UDP:BitComet 22394 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
R3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\DRIVERS\OVCA.sys [2001-08-17 25088]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-04-09 94360]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
S3 camvid40;Philips SPC 900NC PC Camera;c:\windows\system32\DRIVERS\camdrv41.sys [2005-09-12 1239552]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 09:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com
Trusted Zone: windowsupdate.com\download
TCP: {7B6CC36C-1CA7-40D7-8C16-67A546ACC108} = 4.2.2.1
FF - ProfilePath - c:\documents and settings\xxxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\qlxl1e1p.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-04-26 17:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 16:49
ComboFix2.txt 2009-04-26 16:05
ComboFix3.txt 2009-04-25 18:22
ComboFix4.txt 2009-04-25 16:52

Pre-Run: 39.739.736.064 bayt boş
Post-Run: 39.719.333.888 bayt boş

248 --- E O F --- 2009-04-22 08:27


thanks again...

Edited by CatByte, 15 June 2009 - 11:16 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP