lop problem

and here is hers log file (option2).. were we both under attack? and should i continue to do all steps for both of us? cos she needs to sleep and cant work on her machine any further for to night..

her log: \\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) D CPU 2.66GHz )
BIOS : Rev 1.00
USER : usr ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:73 Go (Free:48 Go)
D:\ (Local Disk) - NTFS - Total:75 Go (Free:74 Go)
E:\ (CD or DVD)
F:\ (Local Disk) - FAT32 - Total:149 Go (Free:77 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( 24.02.2009|22:37 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1\third name bits trust.exe
Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1\wkopylwn.exe
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\msgpl_f9a4.exe
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\nsm18E.tmp
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\nsu88A.tmp
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\status.txt
Deleted! - C:\Program Files\Adverts\uninst.exe
Deleted! - C:\WINDOWS\Tasks\A04AAA1A90895C36.job
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\bis301.exe
Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1
Deleted! - C:\Program Files\blehbi~1
Deleted! - C:\Program Files\Adverts
-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Deleted! - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[26.10.2006|17:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[20.12.2008|19:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
[20.12.2008|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
[20.12.2008|19:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
[22.02.2009|21:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GamesBar
[08.03.2008|22:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Go Go Gourmet
[29.01.2008|18:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[09.06.2008|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[12.04.2007|19:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\LongPokeClockHope
[25.11.2006|19:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
[09.06.2008|16:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[03.02.2007|16:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[03.10.2006|10:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[21.01.2009|17:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
[21.01.2009|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Reflexive
[25.09.2007|20:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[05.12.2008|21:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[02.12.2007|18:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[08.03.2008|18:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[22|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[02.10.2006|08:45] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[28.03.2008|13:49] C:\DOCUME~1\Guest\APPLIC~1\Google
[10.10.2006|18:01] C:\DOCUME~1\Guest\APPLIC~1\HP
[10.10.2006|18:00] C:\DOCUME~1\Guest\APPLIC~1\Identities
[26.12.2006|20:42] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\Guest\APPLIC~1\bayt
[6|Dizin] C:\DOCUME~1\Guest\APPLIC~1\bayt boŸ

[23.12.2007|11:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[02.10.2006|08:49] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[16.09.2007|17:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\Symantec
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[4|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[23.09.2008|16:04] C:\DOCUME~1\usr\APPLIC~1\Adobe
[26.10.2006|17:12] C:\DOCUME~1\usr\APPLIC~1\AdobeUM
[13.10.2008|18:37] C:\DOCUME~1\usr\APPLIC~1\Go-Go Gourmet Chef of the Year
[01.02.2008|12:43] C:\DOCUME~1\usr\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\usr\APPLIC~1\HP
[02.10.2006|12:14] C:\DOCUME~1\usr\APPLIC~1\Identities
[11.05.2008|10:34] C:\DOCUME~1\usr\APPLIC~1\Image Zone Express
[22.09.2007|22:33] C:\DOCUME~1\usr\APPLIC~1\InterVideo
[09.06.2008|16:55] C:\DOCUME~1\usr\APPLIC~1\iWin
[03.10.2006|09:05] C:\DOCUME~1\usr\APPLIC~1\Macromedia
[28.04.2008|19:28] C:\DOCUME~1\usr\APPLIC~1\Microsoft
[24.02.2009|16:25] C:\DOCUME~1\usr\APPLIC~1\Mozilla
[21.01.2009|17:51] C:\DOCUME~1\usr\APPLIC~1\PlayFirst
[16.09.2007|18:07] C:\DOCUME~1\usr\APPLIC~1\Printer Info Cache
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\QQ Games
[07.10.2006|09:33] C:\DOCUME~1\usr\APPLIC~1\Symantec
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\Tencent
[0|Dosya] C:\DOCUME~1\usr\APPLIC~1\bayt
[19|Dizin] C:\DOCUME~1\usr\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[24.02.2009 21:58][--a------] C:\WINDOWS\tasks\Symantec NetDetect.job
[24.02.2009 21:58][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 14:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[26.10.2006|16:59] C:\Program Files\Adobe
[07.10.2006|09:23] C:\Program Files\Ahead
[20.12.2008|19:52] C:\Program Files\AIMTunes
[01.12.2008|21:51] C:\Program Files\Ares
[11.10.2008|13:24] C:\Program Files\AskSBar
[24.02.2009|16:42] C:\Program Files\Common Files
[02.10.2006|08:42] C:\Program Files\ComPlus Applications
[22.09.2007|22:18] C:\Program Files\Creative
[02.10.2006|12:36] C:\Program Files\DIFX
[25.04.2008|19:26] C:\Program Files\DVDVideoSoft
[06.03.2007|21:06] C:\Program Files\EA GAMES
[29.09.2007|22:11] C:\Program Files\EA Sports
[13.11.2006|16:35] C:\Program Files\Electronic Arts
[24.02.2009|18:25] C:\Program Files\ESET
[17.10.2008|21:35] C:\Program Files\Gamenext
[17.10.2008|21:36] C:\Program Files\GamesBar
[29.01.2008|18:41] C:\Program Files\Google
[10.10.2006|15:59] C:\Program Files\Hewlett-Packard
[16.09.2007|18:06] C:\Program Files\HP
[17.05.2008|11:27] C:\Program Files\Incomplete
[15.12.2007|21:04] C:\Program Files\InstallShield Installation Information
[02.10.2006|12:53] C:\Program Files\Intel
[22.09.2007|22:19] C:\Program Files\InterActual
[14.12.2008|13:44] C:\Program Files\Internet Explorer
[22.09.2007|22:41] C:\Program Files\InterVideo
[15.07.2008|14:29] C:\Program Files\Java
[07.10.2006|09:28] C:\Program Files\LifeView TVR
[17.05.2008|11:27] C:\Program Files\LimeWire
[03.10.2006|07:54] C:\Program Files\Marvell
[18.04.2007|21:29] C:\Program Files\Maxis
[02.09.2008|13:11] C:\Program Files\Messenger
[06.02.2009|18:30] C:\Program Files\Messenger Plus! Live
[25.11.2006|19:19] C:\Program Files\MessengerPlus! 3
[08.02.2007|12:01] C:\Program Files\Microsoft ActiveSync
[02.10.2006|08:46] C:\Program Files\microsoft frontpage
[21.07.2008|22:05] C:\Program Files\Microsoft Games
[24.11.2008|20:55] C:\Program Files\Microsoft Office
[23.01.2007|17:30] C:\Program Files\Microsoft Visual Studio
[13.07.2008|20:25] C:\Program Files\Microsoft Works
[08.02.2007|12:01] C:\Program Files\Microsoft.NET
[02.10.2006|08:43] C:\Program Files\Movie Maker
[24.02.2009|20:17] C:\Program Files\Mozilla Firefox
[24.11.2008|20:55] C:\Program Files\MSECache
[02.10.2006|08:41] C:\Program Files\MSN Gaming Zone
[01.09.2008|19:50] C:\Program Files\MSN Messenger
[27.09.2007|10:59] C:\Program Files\MSXML 4.0
[23.12.2006|21:45] C:\Program Files\NetMeeting
[02.10.2006|08:44] C:\Program Files\Online Services
[14.06.2007|22:16] C:\Program Files\Outlook Express
[18.01.2009|19:59] C:\Program Files\PhotoScape
[03.10.2007|12:46] C:\Program Files\Play65
[21.01.2009|17:50] C:\Program Files\PlayFirst
[07.06.2007|21:34] C:\Program Files\ReflexiveArcade
[07.06.2008|12:37] C:\Program Files\Ricochet Lost Worlds
[13.10.2006|15:51] C:\Program Files\SMC
[15.12.2007|21:04] C:\Program Files\STV
[15.07.2008|14:29] C:\Program Files\Sun
[25.09.2007|20:42] C:\Program Files\Symantec
[07.10.2006|09:28] C:\Program Files\Teletext
[20.12.2008|19:54] C:\Program Files\Tencent
[02.10.2006|12:14] C:\Program Files\Uninstall Information
[24.02.2009|22:37] C:\Program Files\Viewpoint
[06.03.2007|19:13] C:\Program Files\Winamp
[08.03.2008|18:13] C:\Program Files\Windows Live
[23.12.2007|11:37] C:\Program Files\Windows Media Connect 2
[23.12.2007|11:41] C:\Program Files\Windows Media Player
[02.10.2006|08:41] C:\Program Files\Windows NT
[02.10.2006|08:44] C:\Program Files\WindowsUpdate
[06.10.2006|07:55] C:\Program Files\WinRAR
[02.10.2006|08:46] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[72|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[26.10.2006|17:11] C:\Program Files\Common Files\Adobe
[07.10.2006|09:23] C:\Program Files\Common Files\Ahead
[23.02.2009|21:54] C:\Program Files\Common Files\AOL
[25.09.2007|20:21] C:\Program Files\Common Files\Cisco Systems
[08.02.2007|12:01] C:\Program Files\Common Files\DESIGNER
[25.04.2008|19:26] C:\Program Files\Common Files\DVDVideoSoft
[16.09.2007|18:06] C:\Program Files\Common Files\HP
[22.09.2007|22:18] C:\Program Files\Common Files\InstallShield
[22.09.2007|22:38] C:\Program Files\Common Files\InterVideo
[04.01.2007|18:42] C:\Program Files\Common Files\Java
[08.02.2007|12:01] C:\Program Files\Common Files\L&H
[13.07.2008|20:24] C:\Program Files\Common Files\Microsoft Shared
[02.10.2006|08:43] C:\Program Files\Common Files\MSSoap
[09.06.2008|16:53] C:\Program Files\Common Files\Oberon Media
[02.10.2006|11:28] C:\Program Files\Common Files\ODBC
[02.10.2006|08:43] C:\Program Files\Common Files\Services
[20.12.2008|19:51] C:\Program Files\Common Files\Software Update Utility
[02.10.2006|11:28] C:\Program Files\Common Files\SpeechEngines
[25.09.2007|20:42] C:\Program Files\Common Files\Symantec Shared
[17.01.2009|17:49] C:\Program Files\Common Files\System
[08.03.2008|18:14] C:\Program Files\Common Files\WindowsLiveInstaller
[0|Dosya] C:\Program Files\Common Files\bayt
[23|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 37 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:38:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 1

--------------------\\ Searching for other infections


No other infections found !

[F:6312][D:149]-> C:\DOCUME~1\usr\LOCALS~1\Temp
[F:13][D:0]-> C:\DOCUME~1\usr\Cookies
[F:4242][D:25]-> C:\DOCUME~1\usr\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 24.02.2009|22:15 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 24.02.2009|22:39 - Option : [2]

--------------------\\ Scan completed at 22:39:14

Okay, now I'm confused.
Are you running tools on both machines? I want to work on one machine, then the other, otherwise it will cause problems for me.

Please run DDS for your sisters machine, instructions here:
http://www.geekpolice.net/virus-spyware-malware-removal-f11/lop-problem-t6996.htm#42957

yes sorry for chaos that i caused:( because of our anxiety i run the tools for both machines.. now that she had to sleep i cant work on her pc and now on my own pc only.. i did what you say till the option 2 step for both machines.. and i didnt download dds yet.. did my explanations help you to get rid of confusion? now should i follow your instructions for my pc? ( if its under threat i couldn't understand this part) and may be tomorrow i cant try the same path for her machine..

Okay, we'll do your machine for now.

And you aren't under attack, but this is caused by something you did without realizing.
The LOP infection is brought on when you install Messenger Plus! with sponsors, the messenger is legit, the sponsors is an infection.
I can see from LOP S&D that Messenger Plus! is installed here, so we'll uninstall it and re-install it without sponsors.

Please run DDS from YOUR machine.

i even didn't know and still am not sure that i have messenger plus.. i know my sister has it but.. my machine i dont think so.. but if you say i have it you must be right:) here is DDS log form MY machine..



DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 23:08:43,76 on 24.02.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1497 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\dk994s4c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-02-24 22:04 --d----- C:\Lop SD
2009-02-22 02:24 268 a---h--- C:\sqmdata03.sqm
2009-02-22 02:24 244 a---h--- C:\sqmnoopt03.sqm
2009-02-21 20:19 268 a---h--- C:\sqmdata02.sqm
2009-02-21 20:19 244 a---h--- C:\sqmnoopt02.sqm
2009-02-21 18:46 268 a---h--- C:\sqmdata01.sqm
2009-02-21 18:46 244 a---h--- C:\sqmnoopt01.sqm
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-16 22:55 268 a---h--- C:\sqmdata00.sqm
2009-02-16 22:55 244 a---h--- C:\sqmnoopt00.sqm
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-13 12:44 --d----- C:\_OTMoveIt
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-02-24 17:28 413,744 a------- c:\windows\system32\perfh01F.dat
2009-02-24 17:28 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 23:08:58,03 ===============

Hello.
There are a few things we can throw, so I want to see what's installed.

• Open HijackThis
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.57
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Ares 2.1.0
Babylon
BS.Player FREE
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915800-v4)
Java(TM) 6 Update 4
K-Lite Codec Pack 3.7.0 Full
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Turkish Language Pack
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - TRK
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Turkish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Turkish) 2007
Microsoft Office Groove MUI (Turkish) 2007
Microsoft Office InfoPath MUI (Turkish) 2007
Microsoft Office OneNote MUI (Turkish) 2007
Microsoft Office Outlook MUI (Turkish) 2007
Microsoft Office PowerPoint MUI (Turkish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Turkish) 2007
Microsoft Office Proofing (Turkish) 2007
Microsoft Office Publisher MUI (Turkish) 2007
Microsoft Office Shared MUI (Turkish) 2007
Microsoft Office Word MUI (Turkish) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.6)
Nero 8 Lite 8.3.6.0
NOD32 antivirus system
NVIDIA Drivers
OpenOffice.org 2.3
OpenOffice.org 2.3 Language Pack (Türkçe)
Picasa 2
Pro Evolution Soccer 2009
QuickSnooker
Realtek High Definition Audio Driver
Steam
Texas Instruments PCIxx21/x515 drivers.
Winamp (remove only)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 11 (KB936782) için Güvenlik Güncelleştirmesi
Windows Media Player 11 (KB939683) için Düzeltme
Windows Media Player 11 (KB954154) için Güvenlik Güncelleştirmesi
Windows Search 4.0
Windows XP (KB941569) için Güvenlik Güncelleştirmesi
Windows XP için Düzeltme (KB952287)
Windows XP için Güncelleştirme (KB898461)
Windows XP için Güncelleştirme (KB951072-v2)
Windows XP için Güncelleştirme (KB951978)
Windows XP için Güvenlik Güncelleştirmesi (KB938464)
Windows XP için Güvenlik Güncelleştirmesi (KB950762)
Windows XP için Güvenlik Güncelleştirmesi (KB950974)
Windows XP için Güvenlik Güncelleştirmesi (KB951066)
Windows XP için Güvenlik Güncelleştirmesi (KB951376-v2)
Windows XP için Güvenlik Güncelleştirmesi (KB951698)
Windows XP için Güvenlik Güncelleştirmesi (KB952954)
Windows XP için Güvenlik Güncelleştirmesi (KB954211)
Windows XP için Güvenlik Güncelleştirmesi (KB956390)
Windows XP için Güvenlik Güncelleştirmesi (KB956391)
Windows XP için Güvenlik Güncelleştirmesi (KB956803)
Windows XP için Güvenlik Güncelleştirmesi (KB956841)
Windows XP için Güvenlik Güncelleştirmesi (KB957095)
Windows XP için Güvenlik Güncelleştirmesi (KB958644)
WinRAR archiver

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

7-Zip 4.57 <== old version, will update soon
Ares 2.1.0 <== P2P, see my note below
Java(TM) 6 Update 4 <== old version, will update soon
WinRAR archiver <== not needed since 7zip is installed

P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

I see the OTMoveIt folder still on your C drive, but I can't remember if you still have the executable file for it, so if not, here is the instructions.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sqmdata*.sqm
  C:\sqmnoopt*.sqm
  C:\Lop SD
  C:\Documents and Settings\Owner\Desktop\dds.scr
  C:\Program Files\Viewpoint
  C:\Program Files\LimeWire
  C:\Program Files\AskSBar
  C:\Program Files\Ares
  C:\Program Files\GamesBar
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

hello again here is otmoveıt log of my machine..

========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\Lop SD\Backup-Lop\Reg moved successfully.
C:\Lop SD\Backup-Lop\Hosts moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\LOCALS~1\Temp moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\LOCALS~1 moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1 moved successfully.
C:\Lop SD\Backup-Lop moved successfully.
Folder move failed. C:\Lop SD scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Desktop\dds.scr moved successfully.
File/Folder C:\Program Files\Viewpoint not found.
File/Folder C:\Program Files\LimeWire not found.
File/Folder C:\Program Files\AskSBar not found.
File/Folder C:\Program Files\Ares not found.
File/Folder C:\Program Files\GamesBar not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02242009_234552

Files moved on Reboot...
C:\Lop SD moved successfully.

Okay, lets finish up here.

• Please double-click OTMoveIt3.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt.
  
• It will start cleaning now, and will want to reboot after, please allow it to do so.
  
• It will make a log of what it has removed, but I don't need to see the log.
  

Lets update the software now.
Download and install the latest version of 7zip from here:
http://downloads.sourceforge.net/sevenzip/7z465.exe

Then update Java:

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  
• Select the first option where it says "This release includes the highly anticipated...".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa. (If you are running Vista, you will need to right click JavaRa > select "Run as administrator")
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Let me know how the machine is running now.

i wasnt aware of any lop problem on my pc before discovering my sisters problems.. by your help i deleted and get rid of kryptik.GH trojan last week but yesterday while deep through scan with my antivirus it found and deleted 51 kryptik.GH, kyrptik.DQ, kryptikGF and this kind of kryptik stuff that i hate to see.. but other than that there were no big problems just i realised sometimes (including trying to install 7zip just couple of minutes before) when i open explorer or mozilla i am getting an annoying advertisement from LINK REMOVED i hadn't been aware any kind of threat other than that i mentioned.. do you think am i safe now? and after resulting my situation may you give me some information about my sisters pc situation please ( just note that i just could followed the half of the steps and the final thing that i did on that pc was lop s&d option 2 step..)

just a note: i am now downloading Java update 12 but havent finished yet..

hello again are you gone? here i have finalised your instructions here is javaRA log of MY machine:


JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Feb 25 00:49:03 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

Hello.
That popup your getting, is it just from certain websites? do you get it if you go to Google?

Can I ask, are you experiencing Google hijack problems?

no i dont get any popup when i go to google.. i just sometimes get this popup but i don't know when as a certain..

i really appreciate the invaluable support that you are giving me since the first day we met, and i look forward to hearing from you.. i think you are getting some rest as you deserve more than anyone else..

i just supplicate that you review all we had done to night in both pc's.. and would i demand too much if i want the informaiton about last situations of my machine, and sisters machine respectively? and i am curious abput should i try to connect to internet from my sisters machine tomorrow to get help from you?
i hope to get detailed info tomorrow and
I' wish you the best..

Your sisters machine should be fine to connect to the net assuming your careful and don't visit any bad sites until I get online.
Lets get an updated Lop S&D log.

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

hello again my precious friend, firstly i am tracking your instructions for MY machine and when you'll confirm that i am completly clean and safe i'll go to my sisters machine and follow your instructions.. i hope this way will help you to work easier..

Here i start with MY machine..

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) M processor 1.86GHz )
BIOS : Phoenix NoteBIOS 4.0 Release 6.0
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
C:\ (Local Disk) - NTFS - Total:55 Go (Free:39 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - FAT32 - Total:149 Go (Free:76 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 25.02.2009|16:40 )

--------------------\\ Listing folders in APPLIC~1

[25.02.2009|16:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Babylon
[21.02.2009|16:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\KONAMI
[29.12.2008|01:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[24.11.2008|20:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[11.11.2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[11.11.2008|18:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[19.01.2009|17:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\qs
[21.01.2009|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
[14.11.2008|22:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sports Interactive
[20.01.2009|14:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[11.11.2008|18:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[13|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[10.11.2008|20:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[19.01.2009|19:24] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[15.11.2008|15:06] C:\DOCUME~1\Moiz\APPLIC~1\Adobe
[18.12.2008|22:59] C:\DOCUME~1\Moiz\APPLIC~1\Babylon
[09.01.2009|23:55] C:\DOCUME~1\Moiz\APPLIC~1\DivX
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Identities
[15.11.2008|15:11] C:\DOCUME~1\Moiz\APPLIC~1\Macromedia
[28.12.2008|22:06] C:\DOCUME~1\Moiz\APPLIC~1\Microsoft
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Windows Desktop Search
[22.02.2009|00:49] C:\DOCUME~1\Moiz\APPLIC~1\Windows Search
[0|Dosya] C:\DOCUME~1\Moiz\APPLIC~1\bayt
[10|Dizin] C:\DOCUME~1\Moiz\APPLIC~1\bayt boŸ

[10.11.2008|20:38] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[11.11.2008|13:22] C:\DOCUME~1\Owner\APPLIC~1\Adobe
[19.01.2009|16:46] C:\DOCUME~1\Owner\APPLIC~1\Babylon
[12.11.2008|11:38] C:\DOCUME~1\Owner\APPLIC~1\BSplayer
[12.11.2008|11:31] C:\DOCUME~1\Owner\APPLIC~1\BSplayer Pro
[10.11.2008|20:39] C:\DOCUME~1\Owner\APPLIC~1\Identities
[11.11.2008|14:35] C:\DOCUME~1\Owner\APPLIC~1\Macromedia
[11.11.2008|17:35] C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
[17.12.2008|20:54] C:\DOCUME~1\Owner\APPLIC~1\Microsoft
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Mozilla
[14.11.2008|22:49] C:\DOCUME~1\Owner\APPLIC~1\Sports Interactive
[11.11.2008|19:24] C:\DOCUME~1\Owner\APPLIC~1\Sun
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
[11.11.2008|11:30] C:\DOCUME~1\Owner\APPLIC~1\Windows Desktop Search
[12.11.2008|19:07] C:\DOCUME~1\Owner\APPLIC~1\Windows Search
[11.02.2009|11:53] C:\DOCUME~1\Owner\APPLIC~1\WinRAR
[0|Dosya] C:\DOCUME~1\Owner\APPLIC~1\bayt
[17|Dizin] C:\DOCUME~1\Owner\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[25.02.2009 16:10][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 16:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[24.02.2009|23:49] C:\Program Files\7-Zip
[18.12.2008|18:28] C:\Program Files\Babylon
[24.02.2009|23:42] C:\Program Files\Common Files
[10.11.2008|20:32] C:\Program Files\ComPlus Applications
[08.02.2009|22:09] C:\Program Files\ESET
[10.11.2008|22:11] C:\Program Files\Foxit Software
[11.11.2008|08:57] C:\Program Files\Google
[11.11.2008|12:16] C:\Program Files\InstallShield Installation Information
[02.02.2009|20:47] C:\Program Files\Internet Explorer
[25.02.2009|00:41] C:\Program Files\Java
[11.11.2008|09:03] C:\Program Files\K-Lite Codec Pack
[21.02.2009|16:11] C:\Program Files\KONAMI
[10.11.2008|20:35] C:\Program Files\microsoft frontpage
[11.11.2008|09:45] C:\Program Files\Microsoft Office
[11.11.2008|11:20] C:\Program Files\Microsoft Silverlight
[11.11.2008|09:45] C:\Program Files\Microsoft Visual Studio
[11.11.2008|09:45] C:\Program Files\Microsoft Works
[10.11.2008|20:33] C:\Program Files\Movie Maker
[25.02.2009|01:10] C:\Program Files\Mozilla Firefox
[10.11.2008|20:31] C:\Program Files\MSN Gaming Zone
[10.11.2008|22:12] C:\Program Files\mtu
[11.11.2008|09:01] C:\Program Files\Nero
[10.11.2008|20:33] C:\Program Files\NetMeeting
[10.11.2008|20:33] C:\Program Files\Online Services
[10.11.2008|22:13] C:\Program Files\OpenOffice.org 2.3
[10.11.2008|20:33] C:\Program Files\Outlook Express
[11.11.2008|08:57] C:\Program Files\Picasa2
[24.02.2009|23:43] C:\Program Files\QuickSnooker
[22.01.2009|11:00] C:\Program Files\Steam
[20.01.2009|12:16] C:\Program Files\Trend Micro
[10.11.2008|20:39] C:\Program Files\Uninstall Information
[12.11.2008|11:31] C:\Program Files\Webteh
[20.01.2009|13:35] C:\Program Files\Winamp
[11.11.2008|11:30] C:\Program Files\Windows Desktop Search
[11.11.2008|08:58] C:\Program Files\Windows Live
[11.11.2008|11:22] C:\Program Files\Windows Media Connect 2
[11.11.2008|11:22] C:\Program Files\Windows Media Player
[10.11.2008|20:31] C:\Program Files\Windows NT
[10.11.2008|20:33] C:\Program Files\WindowsUpdate
[11.02.2009|11:44] C:\Program Files\WinRAR
[10.11.2008|20:35] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[43|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11.11.2008|09:45] C:\Program Files\Common Files\DESIGNER
[11.11.2008|12:15] C:\Program Files\Common Files\InstallShield
[11.11.2008|10:03] C:\Program Files\Common Files\Microsoft Shared
[10.11.2008|20:33] C:\Program Files\Common Files\MSSoap
[11.11.2008|09:00] C:\Program Files\Common Files\Nero
[10.11.2008|22:18] C:\Program Files\Common Files\ODBC
[10.11.2008|20:33] C:\Program Files\Common Files\Services
[10.11.2008|22:18] C:\Program Files\Common Files\SpeechEngines
[10.11.2008|22:22] C:\Program Files\Common Files\System
[0|Dosya] C:\Program Files\Common Files\bayt
[11|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 38 Processes )

iexplore.exe ~ [PID:528]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 16:41:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Owner\Recent\CRACK ve SERIAL.lnk


[F:1007][D:27]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:100][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:7569][D:8]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 25.02.2009|16:42 - Option : [1]

--------------------\\ Scan completed at 16:42:07

Hello.
I think we can wrap this up now.
Nothing showing up in LOP S&D.
I think the popups maybe something hiding from us, hopefully this will get it.

Once MBAM is done, I'll flag you as clean if the report isn't too bad.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

hello again.. i couldn't update the program it says ''update failed, make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti Malware to acess the internet'' should i proceed ignoring this?

Yes. See what the scan finds.

process done.. what was those 16 infected files?

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

25.02.2009 18:02:04
mbam-log-2009-02-25 (18-02-04).txt

Scan type: Quick Scan
Objects scanned: 64048
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxhjuoethw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxaollvqhr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxdgmwqkih.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxdlpalyno.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxfwxwhkly.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxjdbqptxe.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlldllole.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlrdltowy.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlyappakx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxpvuueuhd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxsapynkly.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxtymctqon.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxvwiltlog.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxwtmjctni.sys (Trojan.Agent) -> Quarantined and deleted successfully.

It's a DNS hijacker rootkit.
Can you post a new DDS log please? I wasn't expecting this.

i am wondering and upset about how could i smudged this much trouble by just a simple use of internet, and wondering who and what the intruder can gain by us:(


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 18:13:12,71 on 25.02.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1589 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Problem Çözümleme Artıkları\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\dk994s4c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-02-25 17:51 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:40 --d----- C:\Lop SD
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 6,604 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-29 01:08 4 a------- c:\windows\system32\gaopdxcounter

==================== Find3M ====================

2009-02-25 00:09 413,744 a------- c:\windows\system32\perfh01F.dat
2009-02-25 00:09 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 18:13:30,79 ===============

Hello.
See if you still get the Firefox popups now.

If you do, we'll go at it full force. I know the rootkit is present, we can blast it down.

what should i do now? i do not always get popup i sometimes randomly got it ( i am not getting any since last night..)

today i experienced a strange thing before you got online i left the machine for narly 5 minutes and when i came back i can move the mouse cursor freely but cant click on anything, machine vision and keybord was frozen i could just move my mouse cursor and forced to turn off the power button but i sense this is not a big problem.. and is nothing to do with the problems you're solving..

Hmm.
Okay, if there's no problems left and the keyboard and mouse still work, then I think we can say were done.

thank you very very much, you are the best!!!: just want to know that how can i protect myself for future problems?

and after that can we start to work on my sisters machine? if you confirm so i will make a brief statement about situation of her machine and the problems we encounter yesterday and the differencies between yesterday and today..

Hello.
Power down this machine and leave it off, stop any malware getting back on.

Then go onto your sisters machine, and I'll post a prevention speech at the end when where done with her machine.
Please open a new topic as well, this topic is getting too long for me to keep up with.

hi again .. i did everything that you say except '' stop any malware getting back on'' part.. i couldnt understand hat you mean there i just closed my machine and working on her machine now.. i created a new topic called multiple infections and posted a message waiting for your reply..

I have repsonded to your new thread.