multiple infections

Okay, uninstall it, but DO NOT surf the net.
Then run CF.

i got mad when i noticed that i couldn't even enter the Add/Remove Programs section:-( i uninstalled it by programs-eset-nod32-uninstall and the reboot the machine.. now hopefully CF will take care of my pc..

i have finalised the scan, but i didn't encounter the recovery console part..

ComboFix 09-02-24.02 - usr 2009-02-25 21:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.267 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\usr\kkkl.exe
c:\documents and settings\usr\s2dsxdshd.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\IE4 Error Log.txt
c:\windows\s2dsxdshd.exe
c:\windows\sdsxdshd.exe
c:\windows\system32\drivers\services.exe
c:\windows\Temp\23370.exe
c:\windows\Temp\60360.exe
c:\windows\Temp\61312.exe
c:\windows\Temp\84547.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-23 20:31 . 2009-02-24 17:14 26,156 --a------ c:\documents and settings\usr\lpex.exe
2009-02-23 18:05 . 2009-02-25 20:56 26,156 --a------ c:\documents and settings\usr\lpe.exe
2009-02-21 22:55 . 2009-02-25 20:59 26,156 --a------ c:\documents and settings\usr\7l3m4x8d6.exe
2009-02-21 21:26 . 2009-02-24 20:17 73,216 --a------ c:\documents and settings\usr\Setxup.exe
2009-02-21 21:25 . 2009-02-22 21:45 26,156 --a------ c:\documents and settings\usr\ssdswe.exe
2009-02-21 21:24 . 2009-02-22 21:49 26,156 --a------ c:\documents and settings\usr\deleteme.exe
2009-02-19 16:08 . 2009-02-19 16:08 723,968 -r-hs---- c:\windows\system32\drivers\WinMgmt.exe
2009-02-17 19:09 . 2009-02-25 21:03 26,156 --a------ c:\documents and settings\usr\h4d7l3m4x8d6.exe
2009-02-16 16:37 . 2009-02-25 21:03 73,216 --a------ c:\documents and settings\usr\Setup.exe
2009-02-15 14:03 . 2009-02-15 20:50 25,132 --a------ c:\documents and settings\usr\explode.exe
2009-02-12 19:26 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\ssddshd.exe
2009-02-12 19:25 . 2009-02-12 21:31 18,944 --a------ c:\documents and settings\usr\sfddshd.exe
2009-02-08 12:27 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\sd4dshd.exe
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine
2009-02-07 17:29 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\srdshd.exe
2009-02-04 16:44 . 2009-02-16 16:46 18,944 --a------ c:\documents and settings\usr\sdsxxdshd.exe
2009-02-04 11:45 . 2009-02-04 12:08 41,004 --a------ c:\documents and settings\usr\sxdsxdshd.exe
2009-02-04 11:41 . 2009-02-04 11:41 41,004 --a------ c:\windows\sxdsxdshd.exe
2009-02-03 18:05 . 2009-02-04 21:54 41,004 --a------ c:\documents and settings\usr\sdsxdshd.exe
2009-01-29 15:45 . 2009-01-29 16:05 47,192 --a------ c:\documents and settings\usr\sxdsdshd.exe
2009-01-27 11:21 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kdjods.exe
2009-01-27 11:20 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kjodxs.exe
2009-01-25 18:32 . 2009-01-25 19:12 33,366 --a------ c:\documents and settings\usr\Exrexdr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exxrxedr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exredr2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 20:37 --------- d-----w c:\program files\Viewpoint
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-22 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-31 22:18 47,192 ----a-w c:\documents and settings\usr\sdsdsd.exe
2009-01-29 22:07 49,196 ----a-w c:\documents and settings\usr\sdsdshd.exe
2009-01-23 21:24 49,196 ----a-w c:\documents and settings\usr\Exredr.exe
2009-01-21 18:47 4,014 ----a-w c:\documents and settings\usr\taskmger.exe
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-21 13:19 49,196 ----a-w c:\documents and settings\usr\xsdsdsd.exe
2009-01-20 20:19 62,976 ----a-w c:\documents and settings\usr\asdsdsd.exe
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2009-01-16 19:35 74,256 ----a-w c:\documents and settings\usr\Rkhaa.exe
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-20 24652]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
S4 WinSoft Service Controler;WinSoft Service Controler;c:\windows\system32\drivers\WinMgmt.exe [2009-02-19 723968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL win32s.exe
\Shell\Aç\command - F:\win32s.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\r00t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\FiX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinDVRCtrl - c:\windows\WDVRCtrl.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 21:07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"



Completion time: 2009-02-25 21:09:01
ComboFix-quarantined-files.txt 2009-02-25 19:08:59

Pre-Run: 52.270.600.192 bayt boş
Post-Run: 54,570,307,584 bayt boş

172 --- E O F --- 2009-01-16 16:27:44

Okay, lets finish this off.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service
WinSoft Service Controler

File::
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\deleteme.exe
c:\windows\system32\drivers\WinMgmt.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\windows\sxdsxdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\Rkhaa.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\GamesBar
c:\restore

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

the resulting log:

ComboFix 09-02-24.02 - usr 2009-02-25 21:41:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.195 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\usr\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar\about.gif
c:\documents and settings\All Users\Application Data\GamesBar\action.gif
c:\documents and settings\All Users\Application Data\GamesBar\arcade.gif
c:\documents and settings\All Users\Application Data\GamesBar\buy.gif
c:\documents and settings\All Users\Application Data\GamesBar\call_of_atlantis16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\cards.gif
c:\documents and settings\All Users\Application Data\GamesBar\deals.gif
c:\documents and settings\All Users\Application Data\GamesBar\download.gif
c:\documents and settings\All Users\Application Data\GamesBar\dream_day_wedding_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\feedback.gif
c:\documents and settings\All Users\Application Data\GamesBar\help.gif
c:\documents and settings\All Users\Application Data\GamesBar\highlight.gif
c:\documents and settings\All Users\Application Data\GamesBar\holly_a_christmas_tale_deluxe16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\house_of_wonders_bch16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\interpol_2_most_wanted16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\miss_teri_tale_2_vote_4_me16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\multiplayer.gif
c:\documents and settings\All Users\Application Data\GamesBar\mygames.gif
c:\documents and settings\All Users\Application Data\GamesBar\newGames.gif
c:\documents and settings\All Users\Application Data\GamesBar\oberonconfig.xm_
c:\documents and settings\All Users\Application Data\GamesBar\obSearchHistory.dat
c:\documents and settings\All Users\Application Data\GamesBar\onload\loading.gif
c:\documents and settings\All Users\Application Data\GamesBar\partner.gif
c:\documents and settings\All Users\Application Data\GamesBar\puzzle.gif
c:\documents and settings\All Users\Application Data\GamesBar\search.gif
c:\documents and settings\All Users\Application Data\GamesBar\search_yahoo.gif
c:\documents and settings\All Users\Application Data\GamesBar\season_match_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\sendafriend.gif
c:\documents and settings\All Users\Application Data\GamesBar\trial.gif
c:\documents and settings\All Users\Application Data\GamesBar\Turbo_Fiesta16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\uninstall.gif
c:\documents and settings\All Users\Application Data\GamesBar\update.gif
c:\documents and settings\All Users\Application Data\GamesBar\webgame.gif
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore
c:\restore\c-1-3-64-8794238531-8742492-9897532\Desktop.ini
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_WINSOFT_SERVICE_CONTROLER
-------\Service_Viewpoint Manager Service
-------\Service_WinSoft Service Controler


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-25_21.08.15,79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 21:44:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-25 21:47:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 19:47:20
ComboFix2.txt 2009-02-25 19:09:03

Pre-Run: 54.549.286.912 bayt boş
Post-Run: 54,490,476,544 bayt boş

234 --- E O F --- 2009-01-16 16:27:44

did i done everything correct?

Hello.
Yep, just these last things to do.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusDisableNotify"=dword:00000000
  "UpdatesDisableNotify"=dword:00000000
  "AntiVirusOverride"=dword:00000000
  "FirewallOverride"=dword:00000000
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Now install a new AV.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is everything now?

CF is unistalled on the last step is this ok?
everything seems to be normal know can i give back pc to my sister now? after some use we can make a better feedback about the machine a few days later.. i don't know how to thank you!!

if everything is done, can you give me some brief infomation that whaht did happen to this machine and what caused this.. also you've told that (about my pc) i infected from messenger plus? are you sure about that? cos i dont use plus extensions.. are we both safe now? especially form this lop kind problems that you've mentioned before.. may you give info abut both computers seperately?

now i am returnig to my machine.. Glad that you're always here to help us, god bless you:))

Don't know if you used Messenger Plus, but your sister did.

From CF log:

((((( Find3m )))))
c:\program files\Messenger Plus! Live

i returned to my pc.. yes i am sure my sister still uses it.. do you have any advises about that? is it necessary to run CF on my pc? or finally is it time to relax:)?

If yours and your sisters machine is fine now, then I'd say you can relax.
Let me know how everything is in your next post.

my machine seems to be working fine, i will ask my sister is everything turned to normal when i'll see her in this evening.. thank you again for everything you've done for me.. I've started to support you on facebook and adverting GP to my friends..

you've told me that you post a brief messge that what happened to our machines, what is the caouse of the damage, and how can we protect ourselves for future damages.. for example do you want me to post DDS or Hijackthis logs periodically, once a week or so?

another question i want to ask you is about the trojans i've deleted via my antivirus before the consultion that i've made it to you.. i've cleaned nearly 50 Kryptik.GH, Kryptik.GF, KRyptik.GA , Kryptik.DQ tans so on kryptik stuff what were those? and am i carrying any risks now?

i am more that happy to say that both of our machines work very well now :Clapping:

Hello.
The Kryptic files I did alittle research on today, they appear mostly in %temp%, which aren't dangerous.

Glad the machines are fine. Next time you/your sister installs Plus!, watch what it says because the 2 options will either install cleanly or restore this infection.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

thank you for your recommendations i will consider and apply them slowly when i have free time.. can i be sure that this topic wil remain open ?

It will remain open for about 7-10 days.
After 10 days, it will be closed.

If you want it re-opened, PM me or Doctor_Inferno.
If not, then just start a new topic.

hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(

as a resuşt i need your invaluable helps again:(( do yuo want me to post the dds log or hijackthis log ?

DDS log please.

hi again..
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:44:29,56 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1553 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Problem Çözümleme Artıkları\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-02 16:42 268 a---h--- C:\sqmdata03.sqm
2009-03-02 16:42 244 a---h--- C:\sqmnoopt03.sqm
2009-03-01 23:58 268 a---h--- C:\sqmdata02.sqm
2009-03-01 23:58 244 a---h--- C:\sqmnoopt02.sqm
2009-03-01 23:19 268 a---h--- C:\sqmdata01.sqm
2009-03-01 23:19 244 a---h--- C:\sqmnoopt01.sqm
2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 23:45 268 a---h--- C:\sqmdata00.sqm
2009-02-26 23:45 244 a---h--- C:\sqmnoopt00.sqm
2009-02-25 17:51 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:40 --d----- C:\Lop SD
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 16:44:55,87 ===============

Hello.
This log looks fine, there's no real signs of malware, only leftovers.
What problems is this machine having?

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sqmdata*.sqm
  C:\sqmnoopt*.sqm
  C:\Lop SD
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

as i mention before: ''hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(''
could the source of the damage occur when he opens his account? then affects me?

Maybe that's why DDS gave me nothing.
The malware is on the other account of the machine and just appears on yours without the files.

Your account is fine, can you logon to the other account and post a DDS log from that account.

i think that will prove that i am innocent:-) we are curing the macihne and he makes it ill easily:((

========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\Lop SD moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03022009_171126

now i will open his account and post the dds log..

DDS (Ver_09-02-01.01) - NTFSx86
Run by Moiz at 17:20:24,31 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1599 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\cem sorun giderme\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moiz\applic~1\mozilla\firefox\profiles\6xuxhze4.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 22:36 --d----- c:\docume~1\moiz\applic~1\BSplayer
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-22 00:49 --d----- c:\docume~1\moiz\applic~1\Windows Search
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 17:20:41,90 ===============

could it be a lop problem again? cos the sypmtoms is similar to the one that you healed previous week on my sistes machine the internet is unavaliable although ir seemsto be no connection problems..

when trying to surf it always says something like network prescription: mozilla server is anwering too late.. below that it shows some reasons may be the outpost firewall 's wrong settings could couse such problem i don't know?

The log looks okay.
We can check if it's LOP, but I doubt it is.

The problem could be the firewall.
Uninstall it for now and see if it repairs it.

yes you were right! it turned to normal after unistalling the firewall..(I ve checked the both accounts) am i supposed to do somethnig else?

while checking his account i saw many bad sites that he usulayy uses probably.. do you advise me to delete the temp folder of his, to prevent future threats?

unless i don't know how to use a firewall well i think i shouldn't use it am i right?
and one more question i was using nod32 cracked version as you could see from the logs do you advise me to use avira personal free instead of nod32 cracked?

and finally are both spybotS&D and firefox addons enough for my defence?

Sticking with Windows firewall should be enough providing you surf safely.
The Firefox add-ons will protect you.

Yeah, uninstall nod32 and install Avira.

ok i will use avira form now on..

how can i be sure that wşndows firewall is open and protecting me properly?
it seems closed and i cant open it from windows security center!?

Windows would alert you if the firewall wasn't switched on.

ok thank you for everything you've done for me:) i hope you aren't jaded of dealing with my problems again anad again..

hi again this time i haven't got any problems with the machine just searching for Piranha Webcam Driver model PC5000 can you help me?

Maybe.
Please open a thread in the software area for that, since this is the malware removal section.