lop problem

belahzur, i am back again i need your help with two indipendent issues
first one is more important and its about my sisters pc.. she is having trouble surfing with any kind of browser( mozilla or explorer) although there seems to be no problem wtih the network or internet connection cos my laptop works properly when our wireless modem is turned on.. she also has dozens of problems in windows, but nod32 couldn't find any threats in deep scan.. ( maybe her windows is nearly down and we need a format i don't know) i am sending you the hijackthis log which i've done on her pc and transfer to my pc via flash disk hoping that you can help me again.. (this time i am hopeless cos she even cant visit any site or log in to msn, so i dont know how to follow your instructions by my pc..)

the second issue is about my pc which is not so important for now so i'll mention it later..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:56, on 24.02.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\LifeView TVR\RecSche.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SMC\SMCWPCIT-G\SMCWCU.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\System\taskmger.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\drivers\WinMgmt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\LifeView TVR\remote.exe
F:\yedek\Setup Launchers\Advanced Security\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\WinMgmt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Oturum Açma Yardım Aracı - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: GamesBarBHO Class - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\oberontb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Remote] C:\Program Files\LifeView TVR\Remote.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\LifeView TVR\RecSche.exe"
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SMCWCU] "C:\Program Files\SMC\SMCWPCIT-G\SMCWCU.exe" -nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CLOCK HOPE ONLINE SOFTWARE] C:\Documents and Settings\All Users\Application Data\LongPokeClockHope\Window kind.exe
O4 - HKLM\..\Run: [Windows Update] C:\Program Files\Common Files\System\taskmger.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NodLogin] C:\Program Files\Eset\nodlogin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [01 cool] C:\DOCUME~1\usr\APPLIC~1\BLEHBI~1\bold enc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/TR-TR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: SMC Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WinSoft Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\WinMgmt.exe

--
End of file - 9205 bytes

Hello again.
I am splitting your post off into a new topic of it's own.

Give me a minute to write up an answer.

Hello.
Bad news.

This computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

my friend you made me paralised.. we both don't use credit card on network and don't do so much important things in the web just surfing and using facebook msn etc.. and although she has this kind of problems before she hadn't any network problems before so i coudn't discover the problem before but what can an attacker do with her computer except stealing her passwords for msn connection? you really made us scared i don't know what to do know.. what is the meaning of lop? can we detect the attacker or the source of the problem.. and can we be sure that my computer is under threat? did you mean that should i change my modems password? my knowledge is not enough to deal with this problem:-(

Actually, the problem isn't as bad as you think.
This infection, you have a choice of formatting or cleaning.

There is a few users I am helping who have no other choice but to format, the infection they have is completely unfixable. [I will keep them anonymous and will not be named]

Still think you have a bad situation?

Just change any passwords from a clean computer, and we can start cleaning this machine.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\WinMgmt.exe
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O2 - BHO: GamesBarBHO Class - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\oberontb.dll
  O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
  O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
  O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
  O4 - HKLM\..\Run: [ScanRegistry] C:\W
  O4 - HKLM\..\Run: [CLOCK HOPE ONLINE SOFTWARE] C:\Documents and Settings\All Users\Application Data\LongPokeClockHope\Window kind.exe
  O4 - HKLM\..\Run: [Windows Update] C:\Program Files\Common Files\System\taskmger.exe
  O4 - HKCU\..\Run: [01 cool] C:\DOCUME~1\usr\APPLIC~1\BLEHBI~1\bold enc.exe
  O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  O23 - Service: WinSoft Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\WinMgmt.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

the log that i've sent you was my sisters pc log, and should i follow above instructions on my pc? sorry for stupid questions becouse i am confused a lot.. and was that instructions for starting cleaning my machine or hers?

Your sisters.
You said your issue wasn't so important, so let's fix this first, then we'll deal with yours.

i ve done the steps for hijacthis on her pc and it has told me to restart the machine.. ı realised that we got rid of annoying allerts after just entering windows.. ( you're divine:) ) now i'll go to step 2 by downloading this lop s&d thing on my pc then transffer to her pc and do what you say i'll be back for a while..

here is my pc's scan log i'll try to do on hers while you may investigate mines..

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) M processor 1.86GHz )
BIOS : Phoenix NoteBIOS 4.0 Release 6.0
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
C:\ (Local Disk) - NTFS - Total:55 Go (Free:38 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - FAT32 - Total:149 Go (Free:77 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 24.02.2009|22:07 )

--------------------\\ Listing folders in APPLIC~1

[24.02.2009|17:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Babylon
[21.02.2009|16:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\KONAMI
[29.12.2008|01:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[24.11.2008|20:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[11.11.2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[11.11.2008|18:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[19.01.2009|17:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\qs
[21.01.2009|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
[14.11.2008|22:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sports Interactive
[20.01.2009|14:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[11.11.2008|18:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[13|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[10.11.2008|20:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[19.01.2009|19:24] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[15.11.2008|15:06] C:\DOCUME~1\Moiz\APPLIC~1\Adobe
[18.12.2008|22:59] C:\DOCUME~1\Moiz\APPLIC~1\Babylon
[09.01.2009|23:55] C:\DOCUME~1\Moiz\APPLIC~1\DivX
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Identities
[15.11.2008|15:11] C:\DOCUME~1\Moiz\APPLIC~1\Macromedia
[28.12.2008|22:06] C:\DOCUME~1\Moiz\APPLIC~1\Microsoft
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Windows Desktop Search
[22.02.2009|00:49] C:\DOCUME~1\Moiz\APPLIC~1\Windows Search
[0|Dosya] C:\DOCUME~1\Moiz\APPLIC~1\bayt
[10|Dizin] C:\DOCUME~1\Moiz\APPLIC~1\bayt boŸ

[10.11.2008|20:38] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[11.11.2008|13:22] C:\DOCUME~1\Owner\APPLIC~1\Adobe
[19.01.2009|16:46] C:\DOCUME~1\Owner\APPLIC~1\Babylon
[12.11.2008|11:38] C:\DOCUME~1\Owner\APPLIC~1\BSplayer
[12.11.2008|11:31] C:\DOCUME~1\Owner\APPLIC~1\BSplayer Pro
[10.11.2008|20:39] C:\DOCUME~1\Owner\APPLIC~1\Identities
[11.11.2008|14:35] C:\DOCUME~1\Owner\APPLIC~1\Macromedia
[11.11.2008|17:35] C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
[17.12.2008|20:54] C:\DOCUME~1\Owner\APPLIC~1\Microsoft
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Mozilla
[14.11.2008|22:49] C:\DOCUME~1\Owner\APPLIC~1\Sports Interactive
[11.11.2008|19:24] C:\DOCUME~1\Owner\APPLIC~1\Sun
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
[11.11.2008|11:30] C:\DOCUME~1\Owner\APPLIC~1\Windows Desktop Search
[12.11.2008|19:07] C:\DOCUME~1\Owner\APPLIC~1\Windows Search
[11.02.2009|11:53] C:\DOCUME~1\Owner\APPLIC~1\WinRAR
[0|Dosya] C:\DOCUME~1\Owner\APPLIC~1\bayt
[17|Dizin] C:\DOCUME~1\Owner\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[24.02.2009 17:24][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 16:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11.11.2008|08:56] C:\Program Files\7-Zip
[30.11.2008|14:51] C:\Program Files\Ares
[18.12.2008|18:28] C:\Program Files\Babylon
[11.11.2008|12:15] C:\Program Files\Common Files
[10.11.2008|20:32] C:\Program Files\ComPlus Applications
[08.02.2009|22:09] C:\Program Files\ESET
[10.11.2008|22:11] C:\Program Files\Foxit Software
[11.11.2008|08:57] C:\Program Files\Google
[11.11.2008|12:16] C:\Program Files\InstallShield Installation Information
[02.02.2009|20:47] C:\Program Files\Internet Explorer
[11.11.2008|09:03] C:\Program Files\Java
[11.11.2008|09:03] C:\Program Files\K-Lite Codec Pack
[21.02.2009|16:11] C:\Program Files\KONAMI
[10.11.2008|20:35] C:\Program Files\microsoft frontpage
[11.11.2008|09:45] C:\Program Files\Microsoft Office
[11.11.2008|11:20] C:\Program Files\Microsoft Silverlight
[11.11.2008|09:45] C:\Program Files\Microsoft Visual Studio
[11.11.2008|09:45] C:\Program Files\Microsoft Works
[10.11.2008|20:33] C:\Program Files\Movie Maker
[24.02.2009|21:30] C:\Program Files\Mozilla Firefox
[10.11.2008|20:31] C:\Program Files\MSN Gaming Zone
[10.11.2008|22:12] C:\Program Files\mtu
[11.11.2008|09:01] C:\Program Files\Nero
[10.11.2008|20:33] C:\Program Files\NetMeeting
[10.11.2008|20:33] C:\Program Files\Online Services
[10.11.2008|22:13] C:\Program Files\OpenOffice.org 2.3
[10.11.2008|20:33] C:\Program Files\Outlook Express
[11.11.2008|08:57] C:\Program Files\Picasa2
[19.01.2009|17:53] C:\Program Files\QuickSnooker
[22.01.2009|11:00] C:\Program Files\Steam
[20.01.2009|12:16] C:\Program Files\Trend Micro
[10.11.2008|20:39] C:\Program Files\Uninstall Information
[12.11.2008|11:31] C:\Program Files\Webteh
[20.01.2009|13:35] C:\Program Files\Winamp
[11.11.2008|11:30] C:\Program Files\Windows Desktop Search
[11.11.2008|08:58] C:\Program Files\Windows Live
[11.11.2008|11:22] C:\Program Files\Windows Media Connect 2
[11.11.2008|11:22] C:\Program Files\Windows Media Player
[10.11.2008|20:31] C:\Program Files\Windows NT
[10.11.2008|20:33] C:\Program Files\WindowsUpdate
[11.02.2009|11:44] C:\Program Files\WinRAR
[10.11.2008|20:35] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[44|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11.11.2008|09:45] C:\Program Files\Common Files\DESIGNER
[11.11.2008|12:15] C:\Program Files\Common Files\InstallShield
[11.11.2008|09:02] C:\Program Files\Common Files\Java
[11.11.2008|10:03] C:\Program Files\Common Files\Microsoft Shared
[10.11.2008|20:33] C:\Program Files\Common Files\MSSoap
[11.11.2008|09:00] C:\Program Files\Common Files\Nero
[10.11.2008|22:18] C:\Program Files\Common Files\ODBC
[10.11.2008|20:33] C:\Program Files\Common Files\Services
[10.11.2008|22:18] C:\Program Files\Common Files\SpeechEngines
[10.11.2008|22:22] C:\Program Files\Common Files\System
[0|Dosya] C:\Program Files\Common Files\bayt
[12|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 36 Processes )

iexplore.exe ~ [PID:3824]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Owner\LOCALS~1\Temp\nsd6.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx3F.tmp

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:07:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Owner\Recent\CRACK ve SERIAL.lnk


[F:1002][D:27]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:95][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:7255][D:8]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 24.02.2009|22:08 - Option : [1]

--------------------\\ Scan completed at 22:08:16

and here it is her log.. how was mine ? i sense mine was clean?

Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) D CPU 2.66GHz )
BIOS : Rev 1.00
USER : usr ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:73 Go (Free:48 Go)
D:\ (Local Disk) - NTFS - Total:75 Go (Free:74 Go)
E:\ (CD or DVD)
F:\ (Local Disk) - FAT32 - Total:149 Go (Free:77 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 24.02.2009|22:12 )

--------------------\\ Listing folders in APPLIC~1

[26.10.2006|17:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[20.12.2008|19:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
[20.12.2008|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
[20.12.2008|19:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
[22.02.2009|21:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GamesBar
[08.03.2008|22:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Go Go Gourmet
[29.01.2008|18:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[09.06.2008|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[12.04.2007|19:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\LongPokeClockHope
[25.11.2006|19:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
[09.06.2008|16:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[03.02.2007|16:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[03.10.2006|10:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[21.01.2009|17:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
[21.01.2009|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Reflexive
[25.09.2007|20:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[05.12.2008|21:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[20.12.2008|19:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
[02.12.2007|18:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[08.03.2008|18:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[23|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[02.10.2006|08:45] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[28.03.2008|13:49] C:\DOCUME~1\Guest\APPLIC~1\Google
[10.10.2006|18:01] C:\DOCUME~1\Guest\APPLIC~1\HP
[10.10.2006|18:00] C:\DOCUME~1\Guest\APPLIC~1\Identities
[26.12.2006|20:42] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\Guest\APPLIC~1\bayt
[6|Dizin] C:\DOCUME~1\Guest\APPLIC~1\bayt boŸ

[23.12.2007|11:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[02.10.2006|08:49] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[16.09.2007|17:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\Symantec
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[4|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[23.09.2008|16:04] C:\DOCUME~1\usr\APPLIC~1\Adobe
[26.10.2006|17:12] C:\DOCUME~1\usr\APPLIC~1\AdobeUM
[21.07.2007|23:33] C:\DOCUME~1\usr\APPLIC~1\Bleh Bin Mix
[13.10.2008|18:37] C:\DOCUME~1\usr\APPLIC~1\Go-Go Gourmet Chef of the Year
[01.02.2008|12:43] C:\DOCUME~1\usr\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\usr\APPLIC~1\HP
[02.10.2006|12:14] C:\DOCUME~1\usr\APPLIC~1\Identities
[11.05.2008|10:34] C:\DOCUME~1\usr\APPLIC~1\Image Zone Express
[22.09.2007|22:33] C:\DOCUME~1\usr\APPLIC~1\InterVideo
[09.06.2008|16:55] C:\DOCUME~1\usr\APPLIC~1\iWin
[03.10.2006|09:05] C:\DOCUME~1\usr\APPLIC~1\Macromedia
[28.04.2008|19:28] C:\DOCUME~1\usr\APPLIC~1\Microsoft
[24.02.2009|16:25] C:\DOCUME~1\usr\APPLIC~1\Mozilla
[21.01.2009|17:51] C:\DOCUME~1\usr\APPLIC~1\PlayFirst
[16.09.2007|18:07] C:\DOCUME~1\usr\APPLIC~1\Printer Info Cache
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\QQ Games
[07.10.2006|09:33] C:\DOCUME~1\usr\APPLIC~1\Symantec
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\Tencent
[0|Dosya] C:\DOCUME~1\usr\APPLIC~1\bayt
[20|Dizin] C:\DOCUME~1\usr\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[24.02.2009 22:00][--ah-----] C:\WINDOWS\tasks\A04AAA1A90895C36.job
[24.02.2009 21:58][--a------] C:\WINDOWS\tasks\Symantec NetDetect.job
[24.02.2009 21:58][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 14:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

( A04AAA1A90895C36.job )=( c:\docume~1\usr\applic~1\blehbi~1\greylistremote.exe )

--------------------\\ Listing Folders in C:\Program Files

[26.10.2006|16:59] C:\Program Files\Adobe
[12.04.2007|19:51] C:\Program Files\Adverts
[07.10.2006|09:23] C:\Program Files\Ahead
[20.12.2008|19:52] C:\Program Files\AIMTunes
[01.12.2008|21:51] C:\Program Files\Ares
[11.10.2008|13:24] C:\Program Files\AskSBar
[12.04.2007|19:52] C:\Program Files\Bleh Bin Mix
[24.02.2009|16:42] C:\Program Files\Common Files
[02.10.2006|08:42] C:\Program Files\ComPlus Applications
[22.09.2007|22:18] C:\Program Files\Creative
[02.10.2006|12:36] C:\Program Files\DIFX
[25.04.2008|19:26] C:\Program Files\DVDVideoSoft
[06.03.2007|21:06] C:\Program Files\EA GAMES
[29.09.2007|22:11] C:\Program Files\EA Sports
[13.11.2006|16:35] C:\Program Files\Electronic Arts
[24.02.2009|18:25] C:\Program Files\ESET
[17.10.2008|21:35] C:\Program Files\Gamenext
[17.10.2008|21:36] C:\Program Files\GamesBar
[29.01.2008|18:41] C:\Program Files\Google
[10.10.2006|15:59] C:\Program Files\Hewlett-Packard
[16.09.2007|18:06] C:\Program Files\HP
[17.05.2008|11:27] C:\Program Files\Incomplete
[15.12.2007|21:04] C:\Program Files\InstallShield Installation Information
[02.10.2006|12:53] C:\Program Files\Intel
[22.09.2007|22:19] C:\Program Files\InterActual
[14.12.2008|13:44] C:\Program Files\Internet Explorer
[22.09.2007|22:41] C:\Program Files\InterVideo
[15.07.2008|14:29] C:\Program Files\Java
[07.10.2006|09:28] C:\Program Files\LifeView TVR
[17.05.2008|11:27] C:\Program Files\LimeWire
[03.10.2006|07:54] C:\Program Files\Marvell
[18.04.2007|21:29] C:\Program Files\Maxis
[02.09.2008|13:11] C:\Program Files\Messenger
[06.02.2009|18:30] C:\Program Files\Messenger Plus! Live
[25.11.2006|19:19] C:\Program Files\MessengerPlus! 3
[08.02.2007|12:01] C:\Program Files\Microsoft ActiveSync
[02.10.2006|08:46] C:\Program Files\microsoft frontpage
[21.07.2008|22:05] C:\Program Files\Microsoft Games
[24.11.2008|20:55] C:\Program Files\Microsoft Office
[23.01.2007|17:30] C:\Program Files\Microsoft Visual Studio
[13.07.2008|20:25] C:\Program Files\Microsoft Works
[08.02.2007|12:01] C:\Program Files\Microsoft.NET
[02.10.2006|08:43] C:\Program Files\Movie Maker
[24.02.2009|20:17] C:\Program Files\Mozilla Firefox
[24.11.2008|20:55] C:\Program Files\MSECache
[02.10.2006|08:41] C:\Program Files\MSN Gaming Zone
[01.09.2008|19:50] C:\Program Files\MSN Messenger
[27.09.2007|10:59] C:\Program Files\MSXML 4.0
[23.12.2006|21:45] C:\Program Files\NetMeeting
[02.10.2006|08:44] C:\Program Files\Online Services
[14.06.2007|22:16] C:\Program Files\Outlook Express
[18.01.2009|19:59] C:\Program Files\PhotoScape
[03.10.2007|12:46] C:\Program Files\Play65
[21.01.2009|17:50] C:\Program Files\PlayFirst
[07.06.2007|21:34] C:\Program Files\ReflexiveArcade
[07.06.2008|12:37] C:\Program Files\Ricochet Lost Worlds
[13.10.2006|15:51] C:\Program Files\SMC
[15.12.2007|21:04] C:\Program Files\STV
[15.07.2008|14:29] C:\Program Files\Sun
[25.09.2007|20:42] C:\Program Files\Symantec
[07.10.2006|09:28] C:\Program Files\Teletext
[20.12.2008|19:54] C:\Program Files\Tencent
[02.10.2006|12:14] C:\Program Files\Uninstall Information
[20.12.2008|19:51] C:\Program Files\Viewpoint
[06.03.2007|19:13] C:\Program Files\Winamp
[08.03.2008|18:13] C:\Program Files\Windows Live
[23.12.2007|11:37] C:\Program Files\Windows Media Connect 2
[23.12.2007|11:41] C:\Program Files\Windows Media Player
[02.10.2006|08:41] C:\Program Files\Windows NT
[02.10.2006|08:44] C:\Program Files\WindowsUpdate
[06.10.2006|07:55] C:\Program Files\WinRAR
[02.10.2006|08:46] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[74|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[26.10.2006|17:11] C:\Program Files\Common Files\Adobe
[07.10.2006|09:23] C:\Program Files\Common Files\Ahead
[23.02.2009|21:54] C:\Program Files\Common Files\AOL
[25.09.2007|20:21] C:\Program Files\Common Files\Cisco Systems
[08.02.2007|12:01] C:\Program Files\Common Files\DESIGNER
[25.04.2008|19:26] C:\Program Files\Common Files\DVDVideoSoft
[16.09.2007|18:06] C:\Program Files\Common Files\HP
[22.09.2007|22:18] C:\Program Files\Common Files\InstallShield
[22.09.2007|22:38] C:\Program Files\Common Files\InterVideo
[04.01.2007|18:42] C:\Program Files\Common Files\Java
[08.02.2007|12:01] C:\Program Files\Common Files\L&H
[13.07.2008|20:24] C:\Program Files\Common Files\Microsoft Shared
[02.10.2006|08:43] C:\Program Files\Common Files\MSSoap
[09.06.2008|16:53] C:\Program Files\Common Files\Oberon Media
[02.10.2006|11:28] C:\Program Files\Common Files\ODBC
[02.10.2006|08:43] C:\Program Files\Common Files\Services
[20.12.2008|19:51] C:\Program Files\Common Files\Software Update Utility
[02.10.2006|11:28] C:\Program Files\Common Files\SpeechEngines
[25.09.2007|20:42] C:\Program Files\Common Files\Symantec Shared
[17.01.2009|17:49] C:\Program Files\Common Files\System
[08.03.2008|18:14] C:\Program Files\Common Files\WindowsLiveInstaller
[0|Dosya] C:\Program Files\Common Files\bayt
[23|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 37 Processes )

... OK !

--------------------\\ Searching with S_Lop

C:\DOCUME~1\usr\LOCALS~1\Temp\bis301.exe

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\usr\APPLIC~1\blehbi~1
C:\DOCUME~1\usr\APPLIC~1\blehbi~1\third name bits trust.exe
C:\DOCUME~1\usr\APPLIC~1\blehbi~1\wkopylwn.exe
C:\Program Files\blehbi~1
C:\DOCUME~1\usr\LOCALS~1\Temp\msgpl_f9a4.exe
C:\DOCUME~1\usr\LOCALS~1\Temp\nsm18E.tmp
C:\DOCUME~1\usr\LOCALS~1\Temp\nsu88A.tmp
C:\DOCUME~1\usr\LOCALS~1\Temp\status.txt
C:\Program Files\Adverts
C:\Program Files\Adverts\uninst.exe
C:\WINDOWS\Tasks\A04AAA1A90895C36.job

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file MODIFIED

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD

-> 72 [ 70 ## added by CiD ]

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:14:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 1

--------------------\\ Searching for other infections


No other infections found !

Hello
Restart Lop S&D

This time choose Option 2 (Fix + Hosts)
Don't close the window during suppression!
Post the log which is created: (%SystemDrive%\lopR.txt)

hello again we need to thank you for everything that you done for us till now.. heres my log (for option 2)

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) M processor 1.86GHz )
BIOS : Phoenix NoteBIOS 4.0 Release 6.0
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
C:\ (Local Disk) - NTFS - Total:55 Go (Free:38 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - FAT32 - Total:149 Go (Free:77 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( 24.02.2009|22:30 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\DOCUME~1\Owner\LOCALS~1\Temp\nsd6.tmp
Deleted! - C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx3F.tmp
-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[24.02.2009|22:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Babylon
[21.02.2009|16:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\KONAMI
[29.12.2008|01:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[24.11.2008|20:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[11.11.2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[11.11.2008|18:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[19.01.2009|17:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\qs
[21.01.2009|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
[14.11.2008|22:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sports Interactive
[20.01.2009|14:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[11.11.2008|18:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[13|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[10.11.2008|20:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[19.01.2009|19:24] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[15.11.2008|15:06] C:\DOCUME~1\Moiz\APPLIC~1\Adobe
[18.12.2008|22:59] C:\DOCUME~1\Moiz\APPLIC~1\Babylon
[09.01.2009|23:55] C:\DOCUME~1\Moiz\APPLIC~1\DivX
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Identities
[15.11.2008|15:11] C:\DOCUME~1\Moiz\APPLIC~1\Macromedia
[28.12.2008|22:06] C:\DOCUME~1\Moiz\APPLIC~1\Microsoft
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Windows Desktop Search
[22.02.2009|00:49] C:\DOCUME~1\Moiz\APPLIC~1\Windows Search
[0|Dosya] C:\DOCUME~1\Moiz\APPLIC~1\bayt
[10|Dizin] C:\DOCUME~1\Moiz\APPLIC~1\bayt boŸ

[10.11.2008|20:38] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[11.11.2008|13:22] C:\DOCUME~1\Owner\APPLIC~1\Adobe
[19.01.2009|16:46] C:\DOCUME~1\Owner\APPLIC~1\Babylon
[12.11.2008|11:38] C:\DOCUME~1\Owner\APPLIC~1\BSplayer
[12.11.2008|11:31] C:\DOCUME~1\Owner\APPLIC~1\BSplayer Pro
[10.11.2008|20:39] C:\DOCUME~1\Owner\APPLIC~1\Identities
[11.11.2008|14:35] C:\DOCUME~1\Owner\APPLIC~1\Macromedia
[11.11.2008|17:35] C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
[17.12.2008|20:54] C:\DOCUME~1\Owner\APPLIC~1\Microsoft
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Mozilla
[14.11.2008|22:49] C:\DOCUME~1\Owner\APPLIC~1\Sports Interactive
[11.11.2008|19:24] C:\DOCUME~1\Owner\APPLIC~1\Sun
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
[11.11.2008|11:30] C:\DOCUME~1\Owner\APPLIC~1\Windows Desktop Search
[12.11.2008|19:07] C:\DOCUME~1\Owner\APPLIC~1\Windows Search
[11.02.2009|11:53] C:\DOCUME~1\Owner\APPLIC~1\WinRAR
[0|Dosya] C:\DOCUME~1\Owner\APPLIC~1\bayt
[17|Dizin] C:\DOCUME~1\Owner\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[24.02.2009 17:24][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 16:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11.11.2008|08:56] C:\Program Files\7-Zip
[30.11.2008|14:51] C:\Program Files\Ares
[18.12.2008|18:28] C:\Program Files\Babylon
[11.11.2008|12:15] C:\Program Files\Common Files
[10.11.2008|20:32] C:\Program Files\ComPlus Applications
[08.02.2009|22:09] C:\Program Files\ESET
[10.11.2008|22:11] C:\Program Files\Foxit Software
[11.11.2008|08:57] C:\Program Files\Google
[11.11.2008|12:16] C:\Program Files\InstallShield Installation Information
[02.02.2009|20:47] C:\Program Files\Internet Explorer
[11.11.2008|09:03] C:\Program Files\Java
[11.11.2008|09:03] C:\Program Files\K-Lite Codec Pack
[21.02.2009|16:11] C:\Program Files\KONAMI
[10.11.2008|20:35] C:\Program Files\microsoft frontpage
[11.11.2008|09:45] C:\Program Files\Microsoft Office
[11.11.2008|11:20] C:\Program Files\Microsoft Silverlight
[11.11.2008|09:45] C:\Program Files\Microsoft Visual Studio
[11.11.2008|09:45] C:\Program Files\Microsoft Works
[10.11.2008|20:33] C:\Program Files\Movie Maker
[24.02.2009|21:30] C:\Program Files\Mozilla Firefox
[10.11.2008|20:31] C:\Program Files\MSN Gaming Zone
[10.11.2008|22:12] C:\Program Files\mtu
[11.11.2008|09:01] C:\Program Files\Nero
[10.11.2008|20:33] C:\Program Files\NetMeeting
[10.11.2008|20:33] C:\Program Files\Online Services
[10.11.2008|22:13] C:\Program Files\OpenOffice.org 2.3
[10.11.2008|20:33] C:\Program Files\Outlook Express
[11.11.2008|08:57] C:\Program Files\Picasa2
[19.01.2009|17:53] C:\Program Files\QuickSnooker
[22.01.2009|11:00] C:\Program Files\Steam
[20.01.2009|12:16] C:\Program Files\Trend Micro
[10.11.2008|20:39] C:\Program Files\Uninstall Information
[12.11.2008|11:31] C:\Program Files\Webteh
[20.01.2009|13:35] C:\Program Files\Winamp
[11.11.2008|11:30] C:\Program Files\Windows Desktop Search
[11.11.2008|08:58] C:\Program Files\Windows Live
[11.11.2008|11:22] C:\Program Files\Windows Media Connect 2
[11.11.2008|11:22] C:\Program Files\Windows Media Player
[10.11.2008|20:31] C:\Program Files\Windows NT
[10.11.2008|20:33] C:\Program Files\WindowsUpdate
[11.02.2009|11:44] C:\Program Files\WinRAR
[10.11.2008|20:35] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[44|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11.11.2008|09:45] C:\Program Files\Common Files\DESIGNER
[11.11.2008|12:15] C:\Program Files\Common Files\InstallShield
[11.11.2008|09:02] C:\Program Files\Common Files\Java
[11.11.2008|10:03] C:\Program Files\Common Files\Microsoft Shared
[10.11.2008|20:33] C:\Program Files\Common Files\MSSoap
[11.11.2008|09:00] C:\Program Files\Common Files\Nero
[10.11.2008|22:18] C:\Program Files\Common Files\ODBC
[10.11.2008|20:33] C:\Program Files\Common Files\Services
[10.11.2008|22:18] C:\Program Files\Common Files\SpeechEngines
[10.11.2008|22:22] C:\Program Files\Common Files\System
[0|Dosya] C:\Program Files\Common Files\bayt
[12|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 37 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:30:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Owner\Recent\CRACK ve SERIAL.lnk


[F:998][D:25]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:95][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:7265][D:8]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 24.02.2009|22:08 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 24.02.2009|22:31 - Option : [2]

--------------------\\ Scan completed at 22:31:14

Hello.
The LOP is gone, lets see what's left.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

and here is hers log file (option2).. were we both under attack? and should i continue to do all steps for both of us? cos she needs to sleep and cant work on her machine any further for to night..

her log: \\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel(R) Pentium(R) D CPU 2.66GHz )
BIOS : Rev 1.00
USER : usr ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:73 Go (Free:48 Go)
D:\ (Local Disk) - NTFS - Total:75 Go (Free:74 Go)
E:\ (CD or DVD)
F:\ (Local Disk) - FAT32 - Total:149 Go (Free:77 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( 24.02.2009|22:37 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1\third name bits trust.exe
Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1\wkopylwn.exe
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\msgpl_f9a4.exe
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\nsm18E.tmp
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\nsu88A.tmp
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\status.txt
Deleted! - C:\Program Files\Adverts\uninst.exe
Deleted! - C:\WINDOWS\Tasks\A04AAA1A90895C36.job
Deleted! - C:\DOCUME~1\usr\LOCALS~1\Temp\bis301.exe
Deleted! - C:\DOCUME~1\usr\APPLIC~1\blehbi~1
Deleted! - C:\Program Files\blehbi~1
Deleted! - C:\Program Files\Adverts
-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Deleted! - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[26.10.2006|17:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[20.12.2008|19:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
[20.12.2008|19:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
[20.12.2008|19:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
[22.02.2009|21:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GamesBar
[08.03.2008|22:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Go Go Gourmet
[29.01.2008|18:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
[09.06.2008|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[12.04.2007|19:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\LongPokeClockHope
[25.11.2006|19:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
[09.06.2008|16:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[03.02.2007|16:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[03.10.2006|10:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[21.01.2009|17:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
[21.01.2009|17:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Reflexive
[25.09.2007|20:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
[05.12.2008|21:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[02.12.2007|18:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[08.03.2008|18:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[22|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[02.10.2006|08:45] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[28.03.2008|13:49] C:\DOCUME~1\Guest\APPLIC~1\Google
[10.10.2006|18:01] C:\DOCUME~1\Guest\APPLIC~1\HP
[10.10.2006|18:00] C:\DOCUME~1\Guest\APPLIC~1\Identities
[26.12.2006|20:42] C:\DOCUME~1\Guest\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\Guest\APPLIC~1\bayt
[6|Dizin] C:\DOCUME~1\Guest\APPLIC~1\bayt boŸ

[23.12.2007|11:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[02.10.2006|08:49] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[16.09.2007|17:57] C:\DOCUME~1\NETWOR~1\APPLIC~1\Symantec
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[4|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[23.09.2008|16:04] C:\DOCUME~1\usr\APPLIC~1\Adobe
[26.10.2006|17:12] C:\DOCUME~1\usr\APPLIC~1\AdobeUM
[13.10.2008|18:37] C:\DOCUME~1\usr\APPLIC~1\Go-Go Gourmet Chef of the Year
[01.02.2008|12:43] C:\DOCUME~1\usr\APPLIC~1\Google
[10.10.2006|16:02] C:\DOCUME~1\usr\APPLIC~1\HP
[02.10.2006|12:14] C:\DOCUME~1\usr\APPLIC~1\Identities
[11.05.2008|10:34] C:\DOCUME~1\usr\APPLIC~1\Image Zone Express
[22.09.2007|22:33] C:\DOCUME~1\usr\APPLIC~1\InterVideo
[09.06.2008|16:55] C:\DOCUME~1\usr\APPLIC~1\iWin
[03.10.2006|09:05] C:\DOCUME~1\usr\APPLIC~1\Macromedia
[28.04.2008|19:28] C:\DOCUME~1\usr\APPLIC~1\Microsoft
[24.02.2009|16:25] C:\DOCUME~1\usr\APPLIC~1\Mozilla
[21.01.2009|17:51] C:\DOCUME~1\usr\APPLIC~1\PlayFirst
[16.09.2007|18:07] C:\DOCUME~1\usr\APPLIC~1\Printer Info Cache
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\QQ Games
[07.10.2006|09:33] C:\DOCUME~1\usr\APPLIC~1\Symantec
[20.12.2008|19:54] C:\DOCUME~1\usr\APPLIC~1\Tencent
[0|Dosya] C:\DOCUME~1\usr\APPLIC~1\bayt
[19|Dizin] C:\DOCUME~1\usr\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[24.02.2009 21:58][--a------] C:\WINDOWS\tasks\Symantec NetDetect.job
[24.02.2009 21:58][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 14:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[26.10.2006|16:59] C:\Program Files\Adobe
[07.10.2006|09:23] C:\Program Files\Ahead
[20.12.2008|19:52] C:\Program Files\AIMTunes
[01.12.2008|21:51] C:\Program Files\Ares
[11.10.2008|13:24] C:\Program Files\AskSBar
[24.02.2009|16:42] C:\Program Files\Common Files
[02.10.2006|08:42] C:\Program Files\ComPlus Applications
[22.09.2007|22:18] C:\Program Files\Creative
[02.10.2006|12:36] C:\Program Files\DIFX
[25.04.2008|19:26] C:\Program Files\DVDVideoSoft
[06.03.2007|21:06] C:\Program Files\EA GAMES
[29.09.2007|22:11] C:\Program Files\EA Sports
[13.11.2006|16:35] C:\Program Files\Electronic Arts
[24.02.2009|18:25] C:\Program Files\ESET
[17.10.2008|21:35] C:\Program Files\Gamenext
[17.10.2008|21:36] C:\Program Files\GamesBar
[29.01.2008|18:41] C:\Program Files\Google
[10.10.2006|15:59] C:\Program Files\Hewlett-Packard
[16.09.2007|18:06] C:\Program Files\HP
[17.05.2008|11:27] C:\Program Files\Incomplete
[15.12.2007|21:04] C:\Program Files\InstallShield Installation Information
[02.10.2006|12:53] C:\Program Files\Intel
[22.09.2007|22:19] C:\Program Files\InterActual
[14.12.2008|13:44] C:\Program Files\Internet Explorer
[22.09.2007|22:41] C:\Program Files\InterVideo
[15.07.2008|14:29] C:\Program Files\Java
[07.10.2006|09:28] C:\Program Files\LifeView TVR
[17.05.2008|11:27] C:\Program Files\LimeWire
[03.10.2006|07:54] C:\Program Files\Marvell
[18.04.2007|21:29] C:\Program Files\Maxis
[02.09.2008|13:11] C:\Program Files\Messenger
[06.02.2009|18:30] C:\Program Files\Messenger Plus! Live
[25.11.2006|19:19] C:\Program Files\MessengerPlus! 3
[08.02.2007|12:01] C:\Program Files\Microsoft ActiveSync
[02.10.2006|08:46] C:\Program Files\microsoft frontpage
[21.07.2008|22:05] C:\Program Files\Microsoft Games
[24.11.2008|20:55] C:\Program Files\Microsoft Office
[23.01.2007|17:30] C:\Program Files\Microsoft Visual Studio
[13.07.2008|20:25] C:\Program Files\Microsoft Works
[08.02.2007|12:01] C:\Program Files\Microsoft.NET
[02.10.2006|08:43] C:\Program Files\Movie Maker
[24.02.2009|20:17] C:\Program Files\Mozilla Firefox
[24.11.2008|20:55] C:\Program Files\MSECache
[02.10.2006|08:41] C:\Program Files\MSN Gaming Zone
[01.09.2008|19:50] C:\Program Files\MSN Messenger
[27.09.2007|10:59] C:\Program Files\MSXML 4.0
[23.12.2006|21:45] C:\Program Files\NetMeeting
[02.10.2006|08:44] C:\Program Files\Online Services
[14.06.2007|22:16] C:\Program Files\Outlook Express
[18.01.2009|19:59] C:\Program Files\PhotoScape
[03.10.2007|12:46] C:\Program Files\Play65
[21.01.2009|17:50] C:\Program Files\PlayFirst
[07.06.2007|21:34] C:\Program Files\ReflexiveArcade
[07.06.2008|12:37] C:\Program Files\Ricochet Lost Worlds
[13.10.2006|15:51] C:\Program Files\SMC
[15.12.2007|21:04] C:\Program Files\STV
[15.07.2008|14:29] C:\Program Files\Sun
[25.09.2007|20:42] C:\Program Files\Symantec
[07.10.2006|09:28] C:\Program Files\Teletext
[20.12.2008|19:54] C:\Program Files\Tencent
[02.10.2006|12:14] C:\Program Files\Uninstall Information
[24.02.2009|22:37] C:\Program Files\Viewpoint
[06.03.2007|19:13] C:\Program Files\Winamp
[08.03.2008|18:13] C:\Program Files\Windows Live
[23.12.2007|11:37] C:\Program Files\Windows Media Connect 2
[23.12.2007|11:41] C:\Program Files\Windows Media Player
[02.10.2006|08:41] C:\Program Files\Windows NT
[02.10.2006|08:44] C:\Program Files\WindowsUpdate
[06.10.2006|07:55] C:\Program Files\WinRAR
[02.10.2006|08:46] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[72|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[26.10.2006|17:11] C:\Program Files\Common Files\Adobe
[07.10.2006|09:23] C:\Program Files\Common Files\Ahead
[23.02.2009|21:54] C:\Program Files\Common Files\AOL
[25.09.2007|20:21] C:\Program Files\Common Files\Cisco Systems
[08.02.2007|12:01] C:\Program Files\Common Files\DESIGNER
[25.04.2008|19:26] C:\Program Files\Common Files\DVDVideoSoft
[16.09.2007|18:06] C:\Program Files\Common Files\HP
[22.09.2007|22:18] C:\Program Files\Common Files\InstallShield
[22.09.2007|22:38] C:\Program Files\Common Files\InterVideo
[04.01.2007|18:42] C:\Program Files\Common Files\Java
[08.02.2007|12:01] C:\Program Files\Common Files\L&H
[13.07.2008|20:24] C:\Program Files\Common Files\Microsoft Shared
[02.10.2006|08:43] C:\Program Files\Common Files\MSSoap
[09.06.2008|16:53] C:\Program Files\Common Files\Oberon Media
[02.10.2006|11:28] C:\Program Files\Common Files\ODBC
[02.10.2006|08:43] C:\Program Files\Common Files\Services
[20.12.2008|19:51] C:\Program Files\Common Files\Software Update Utility
[02.10.2006|11:28] C:\Program Files\Common Files\SpeechEngines
[25.09.2007|20:42] C:\Program Files\Common Files\Symantec Shared
[17.01.2009|17:49] C:\Program Files\Common Files\System
[08.03.2008|18:14] C:\Program Files\Common Files\WindowsLiveInstaller
[0|Dosya] C:\Program Files\Common Files\bayt
[23|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 37 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 22:38:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 1

--------------------\\ Searching for other infections


No other infections found !

[F:6312][D:149]-> C:\DOCUME~1\usr\LOCALS~1\Temp
[F:13][D:0]-> C:\DOCUME~1\usr\Cookies
[F:4242][D:25]-> C:\DOCUME~1\usr\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 24.02.2009|22:15 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - 24.02.2009|22:39 - Option : [2]

--------------------\\ Scan completed at 22:39:14

Okay, now I'm confused.
Are you running tools on both machines? I want to work on one machine, then the other, otherwise it will cause problems for me.

Please run DDS for your sisters machine, instructions here:
http://www.geekpolice.net/virus-spyware-malware-removal-f11/lop-problem-t6996.htm#42957

yes sorry for chaos that i caused:( because of our anxiety i run the tools for both machines.. now that she had to sleep i cant work on her pc and now on my own pc only.. i did what you say till the option 2 step for both machines.. and i didnt download dds yet.. did my explanations help you to get rid of confusion? now should i follow your instructions for my pc? ( if its under threat i couldn't understand this part) and may be tomorrow i cant try the same path for her machine..

Okay, we'll do your machine for now.

And you aren't under attack, but this is caused by something you did without realizing.
The LOP infection is brought on when you install Messenger Plus! with sponsors, the messenger is legit, the sponsors is an infection.
I can see from LOP S&D that Messenger Plus! is installed here, so we'll uninstall it and re-install it without sponsors.

Please run DDS from YOUR machine.

i even didn't know and still am not sure that i have messenger plus.. i know my sister has it but.. my machine i dont think so.. but if you say i have it you must be right:) here is DDS log form MY machine..



DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 23:08:43,76 on 24.02.2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1497 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\dk994s4c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-02-24 22:04 --d----- C:\Lop SD
2009-02-22 02:24 268 a---h--- C:\sqmdata03.sqm
2009-02-22 02:24 244 a---h--- C:\sqmnoopt03.sqm
2009-02-21 20:19 268 a---h--- C:\sqmdata02.sqm
2009-02-21 20:19 244 a---h--- C:\sqmnoopt02.sqm
2009-02-21 18:46 268 a---h--- C:\sqmdata01.sqm
2009-02-21 18:46 244 a---h--- C:\sqmnoopt01.sqm
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-16 22:55 268 a---h--- C:\sqmdata00.sqm
2009-02-16 22:55 244 a---h--- C:\sqmnoopt00.sqm
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-13 12:44 --d----- C:\_OTMoveIt
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-02-24 17:28 413,744 a------- c:\windows\system32\perfh01F.dat
2009-02-24 17:28 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 23:08:58,03 ===============

Hello.
There are a few things we can throw, so I want to see what's installed.

• Open HijackThis
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.57
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Ares 2.1.0
Babylon
BS.Player FREE
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915800-v4)
Java(TM) 6 Update 4
K-Lite Codec Pack 3.7.0 Full
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Turkish Language Pack
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - TRK
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Turkish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Turkish) 2007
Microsoft Office Groove MUI (Turkish) 2007
Microsoft Office InfoPath MUI (Turkish) 2007
Microsoft Office OneNote MUI (Turkish) 2007
Microsoft Office Outlook MUI (Turkish) 2007
Microsoft Office PowerPoint MUI (Turkish) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Turkish) 2007
Microsoft Office Proofing (Turkish) 2007
Microsoft Office Publisher MUI (Turkish) 2007
Microsoft Office Shared MUI (Turkish) 2007
Microsoft Office Word MUI (Turkish) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0.6)
Nero 8 Lite 8.3.6.0
NOD32 antivirus system
NVIDIA Drivers
OpenOffice.org 2.3
OpenOffice.org 2.3 Language Pack (Türkçe)
Picasa 2
Pro Evolution Soccer 2009
QuickSnooker
Realtek High Definition Audio Driver
Steam
Texas Instruments PCIxx21/x515 drivers.
Winamp (remove only)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 11 (KB936782) için Güvenlik Güncelleştirmesi
Windows Media Player 11 (KB939683) için Düzeltme
Windows Media Player 11 (KB954154) için Güvenlik Güncelleştirmesi
Windows Search 4.0
Windows XP (KB941569) için Güvenlik Güncelleştirmesi
Windows XP için Düzeltme (KB952287)
Windows XP için Güncelleştirme (KB898461)
Windows XP için Güncelleştirme (KB951072-v2)
Windows XP için Güncelleştirme (KB951978)
Windows XP için Güvenlik Güncelleştirmesi (KB938464)
Windows XP için Güvenlik Güncelleştirmesi (KB950762)
Windows XP için Güvenlik Güncelleştirmesi (KB950974)
Windows XP için Güvenlik Güncelleştirmesi (KB951066)
Windows XP için Güvenlik Güncelleştirmesi (KB951376-v2)
Windows XP için Güvenlik Güncelleştirmesi (KB951698)
Windows XP için Güvenlik Güncelleştirmesi (KB952954)
Windows XP için Güvenlik Güncelleştirmesi (KB954211)
Windows XP için Güvenlik Güncelleştirmesi (KB956390)
Windows XP için Güvenlik Güncelleştirmesi (KB956391)
Windows XP için Güvenlik Güncelleştirmesi (KB956803)
Windows XP için Güvenlik Güncelleştirmesi (KB956841)
Windows XP için Güvenlik Güncelleştirmesi (KB957095)
Windows XP için Güvenlik Güncelleştirmesi (KB958644)
WinRAR archiver

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

7-Zip 4.57 <== old version, will update soon
Ares 2.1.0 <== P2P, see my note below
Java(TM) 6 Update 4 <== old version, will update soon
WinRAR archiver <== not needed since 7zip is installed

P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

I see the OTMoveIt folder still on your C drive, but I can't remember if you still have the executable file for it, so if not, here is the instructions.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sqmdata*.sqm
  C:\sqmnoopt*.sqm
  C:\Lop SD
  C:\Documents and Settings\Owner\Desktop\dds.scr
  C:\Program Files\Viewpoint
  C:\Program Files\LimeWire
  C:\Program Files\AskSBar
  C:\Program Files\Ares
  C:\Program Files\GamesBar
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

hello again here is otmoveıt log of my machine..

========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\Lop SD\Backup-Lop\Reg moved successfully.
C:\Lop SD\Backup-Lop\Hosts moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\LOCALS~1\Temp moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\LOCALS~1 moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1\Owner moved successfully.
C:\Lop SD\Backup-Lop\DOCUME~1 moved successfully.
C:\Lop SD\Backup-Lop moved successfully.
Folder move failed. C:\Lop SD scheduled to be moved on reboot.
C:\Documents and Settings\Owner\Desktop\dds.scr moved successfully.
File/Folder C:\Program Files\Viewpoint not found.
File/Folder C:\Program Files\LimeWire not found.
File/Folder C:\Program Files\AskSBar not found.
File/Folder C:\Program Files\Ares not found.
File/Folder C:\Program Files\GamesBar not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02242009_234552

Files moved on Reboot...
C:\Lop SD moved successfully.

Okay, lets finish up here.

• Please double-click OTMoveIt3.exe to run it again.
  
• Press the green CleanUp! button.
  
• Press Yes cleanup process prompt.
  
• It will start cleaning now, and will want to reboot after, please allow it to do so.
  
• It will make a log of what it has removed, but I don't need to see the log.
  

Lets update the software now.
Download and install the latest version of 7zip from here:
http://downloads.sourceforge.net/sevenzip/7z465.exe

Then update Java:

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  
• Select the first option where it says "This release includes the highly anticipated...".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa. (If you are running Vista, you will need to right click JavaRa > select "Run as administrator")
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Let me know how the machine is running now.

i wasnt aware of any lop problem on my pc before discovering my sisters problems.. by your help i deleted and get rid of kryptik.GH trojan last week but yesterday while deep through scan with my antivirus it found and deleted 51 kryptik.GH, kyrptik.DQ, kryptikGF and this kind of kryptik stuff that i hate to see.. but other than that there were no big problems just i realised sometimes (including trying to install 7zip just couple of minutes before) when i open explorer or mozilla i am getting an annoying advertisement from LINK REMOVED i hadn't been aware any kind of threat other than that i mentioned.. do you think am i safe now? and after resulting my situation may you give me some information about my sisters pc situation please ( just note that i just could followed the half of the steps and the final thing that i did on that pc was lop s&d option 2 step..)

just a note: i am now downloading Java update 12 but havent finished yet..

hello again are you gone? here i have finalised your instructions here is javaRA log of MY machine:


JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Feb 25 00:49:03 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

Hello.
That popup your getting, is it just from certain websites? do you get it if you go to Google?

Can I ask, are you experiencing Google hijack problems?

no i dont get any popup when i go to google.. i just sometimes get this popup but i don't know when as a certain..

i really appreciate the invaluable support that you are giving me since the first day we met, and i look forward to hearing from you.. i think you are getting some rest as you deserve more than anyone else..

i just supplicate that you review all we had done to night in both pc's.. and would i demand too much if i want the informaiton about last situations of my machine, and sisters machine respectively? and i am curious abput should i try to connect to internet from my sisters machine tomorrow to get help from you?
i hope to get detailed info tomorrow and
I' wish you the best..

Your sisters machine should be fine to connect to the net assuming your careful and don't visit any bad sites until I get online.
Lets get an updated Lop S&D log.

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

hello again my precious friend, firstly i am tracking your instructions for MY machine and when you'll confirm that i am completly clean and safe i'll go to my sisters machine and follow your instructions.. i hope this way will help you to work easier..

Here i start with MY machine..

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel(R) Pentium(R) M processor 1.86GHz )
BIOS : Phoenix NoteBIOS 4.0 Release 6.0
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated)
C:\ (Local Disk) - NTFS - Total:55 Go (Free:39 Go)
D:\ (CD or DVD)
E:\ (Local Disk) - FAT32 - Total:149 Go (Free:76 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( 25.02.2009|16:40 )

--------------------\\ Listing folders in APPLIC~1

[25.02.2009|16:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Babylon
[21.02.2009|16:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\KONAMI
[29.12.2008|01:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[24.11.2008|20:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
[11.11.2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[11.11.2008|18:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
[19.01.2009|17:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\qs
[21.01.2009|13:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
[14.11.2008|22:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sports Interactive
[20.01.2009|14:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[11.11.2008|18:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[0|Dosya] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt
[13|Dizin] C:\DOCUME~1\ALLUSE~1\APPLIC~1\bayt boŸ

[10.11.2008|20:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\DEFAUL~1\APPLIC~1\bayt boŸ

[19.01.2009|19:24] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\LOCALS~1\APPLIC~1\bayt boŸ

[15.11.2008|15:06] C:\DOCUME~1\Moiz\APPLIC~1\Adobe
[18.12.2008|22:59] C:\DOCUME~1\Moiz\APPLIC~1\Babylon
[09.01.2009|23:55] C:\DOCUME~1\Moiz\APPLIC~1\DivX
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Identities
[15.11.2008|15:11] C:\DOCUME~1\Moiz\APPLIC~1\Macromedia
[28.12.2008|22:06] C:\DOCUME~1\Moiz\APPLIC~1\Microsoft
[15.11.2008|15:05] C:\DOCUME~1\Moiz\APPLIC~1\Windows Desktop Search
[22.02.2009|00:49] C:\DOCUME~1\Moiz\APPLIC~1\Windows Search
[0|Dosya] C:\DOCUME~1\Moiz\APPLIC~1\bayt
[10|Dizin] C:\DOCUME~1\Moiz\APPLIC~1\bayt boŸ

[10.11.2008|20:38] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
[0|Dosya] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt
[3|Dizin] C:\DOCUME~1\NETWOR~1\APPLIC~1\bayt boŸ

[11.11.2008|13:22] C:\DOCUME~1\Owner\APPLIC~1\Adobe
[19.01.2009|16:46] C:\DOCUME~1\Owner\APPLIC~1\Babylon
[12.11.2008|11:38] C:\DOCUME~1\Owner\APPLIC~1\BSplayer
[12.11.2008|11:31] C:\DOCUME~1\Owner\APPLIC~1\BSplayer Pro
[10.11.2008|20:39] C:\DOCUME~1\Owner\APPLIC~1\Identities
[11.11.2008|14:35] C:\DOCUME~1\Owner\APPLIC~1\Macromedia
[11.11.2008|17:35] C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
[17.12.2008|20:54] C:\DOCUME~1\Owner\APPLIC~1\Microsoft
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Mozilla
[14.11.2008|22:49] C:\DOCUME~1\Owner\APPLIC~1\Sports Interactive
[11.11.2008|19:24] C:\DOCUME~1\Owner\APPLIC~1\Sun
[11.11.2008|19:39] C:\DOCUME~1\Owner\APPLIC~1\Thunderbird
[11.11.2008|11:30] C:\DOCUME~1\Owner\APPLIC~1\Windows Desktop Search
[12.11.2008|19:07] C:\DOCUME~1\Owner\APPLIC~1\Windows Search
[11.02.2009|11:53] C:\DOCUME~1\Owner\APPLIC~1\WinRAR
[0|Dosya] C:\DOCUME~1\Owner\APPLIC~1\bayt
[17|Dizin] C:\DOCUME~1\Owner\APPLIC~1\bayt boŸ

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[25.02.2009 16:10][--ah-----] C:\WINDOWS\tasks\SA.DAT
[04.08.2004 16:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[24.02.2009|23:49] C:\Program Files\7-Zip
[18.12.2008|18:28] C:\Program Files\Babylon
[24.02.2009|23:42] C:\Program Files\Common Files
[10.11.2008|20:32] C:\Program Files\ComPlus Applications
[08.02.2009|22:09] C:\Program Files\ESET
[10.11.2008|22:11] C:\Program Files\Foxit Software
[11.11.2008|08:57] C:\Program Files\Google
[11.11.2008|12:16] C:\Program Files\InstallShield Installation Information
[02.02.2009|20:47] C:\Program Files\Internet Explorer
[25.02.2009|00:41] C:\Program Files\Java
[11.11.2008|09:03] C:\Program Files\K-Lite Codec Pack
[21.02.2009|16:11] C:\Program Files\KONAMI
[10.11.2008|20:35] C:\Program Files\microsoft frontpage
[11.11.2008|09:45] C:\Program Files\Microsoft Office
[11.11.2008|11:20] C:\Program Files\Microsoft Silverlight
[11.11.2008|09:45] C:\Program Files\Microsoft Visual Studio
[11.11.2008|09:45] C:\Program Files\Microsoft Works
[10.11.2008|20:33] C:\Program Files\Movie Maker
[25.02.2009|01:10] C:\Program Files\Mozilla Firefox
[10.11.2008|20:31] C:\Program Files\MSN Gaming Zone
[10.11.2008|22:12] C:\Program Files\mtu
[11.11.2008|09:01] C:\Program Files\Nero
[10.11.2008|20:33] C:\Program Files\NetMeeting
[10.11.2008|20:33] C:\Program Files\Online Services
[10.11.2008|22:13] C:\Program Files\OpenOffice.org 2.3
[10.11.2008|20:33] C:\Program Files\Outlook Express
[11.11.2008|08:57] C:\Program Files\Picasa2
[24.02.2009|23:43] C:\Program Files\QuickSnooker
[22.01.2009|11:00] C:\Program Files\Steam
[20.01.2009|12:16] C:\Program Files\Trend Micro
[10.11.2008|20:39] C:\Program Files\Uninstall Information
[12.11.2008|11:31] C:\Program Files\Webteh
[20.01.2009|13:35] C:\Program Files\Winamp
[11.11.2008|11:30] C:\Program Files\Windows Desktop Search
[11.11.2008|08:58] C:\Program Files\Windows Live
[11.11.2008|11:22] C:\Program Files\Windows Media Connect 2
[11.11.2008|11:22] C:\Program Files\Windows Media Player
[10.11.2008|20:31] C:\Program Files\Windows NT
[10.11.2008|20:33] C:\Program Files\WindowsUpdate
[11.02.2009|11:44] C:\Program Files\WinRAR
[10.11.2008|20:35] C:\Program Files\xerox
[0|Dosya] C:\Program Files\bayt
[43|Dizin] C:\Program Files\bayt boŸ

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11.11.2008|09:45] C:\Program Files\Common Files\DESIGNER
[11.11.2008|12:15] C:\Program Files\Common Files\InstallShield
[11.11.2008|10:03] C:\Program Files\Common Files\Microsoft Shared
[10.11.2008|20:33] C:\Program Files\Common Files\MSSoap
[11.11.2008|09:00] C:\Program Files\Common Files\Nero
[10.11.2008|22:18] C:\Program Files\Common Files\ODBC
[10.11.2008|20:33] C:\Program Files\Common Files\Services
[10.11.2008|22:18] C:\Program Files\Common Files\SpeechEngines
[10.11.2008|22:22] C:\Program Files\Common Files\System
[0|Dosya] C:\Program Files\Common Files\bayt
[11|Dizin] C:\Program Files\Common Files\bayt boŸ

--------------------\\ Process

( 38 Processes )

iexplore.exe ~ [PID:528]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 16:41:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Owner\Recent\CRACK ve SERIAL.lnk


[F:1007][D:27]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:100][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:7569][D:8]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 25.02.2009|16:42 - Option : [1]

--------------------\\ Scan completed at 16:42:07

Hello.
I think we can wrap this up now.
Nothing showing up in LOP S&D.
I think the popups maybe something hiding from us, hopefully this will get it.

Once MBAM is done, I'll flag you as clean if the report isn't too bad.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

hello again.. i couldn't update the program it says ''update failed, make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti Malware to acess the internet'' should i proceed ignoring this?

Yes. See what the scan finds.

process done.. what was those 16 infected files?

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

25.02.2009 18:02:04
mbam-log-2009-02-25 (18-02-04).txt

Scan type: Quick Scan
Objects scanned: 64048
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\coolplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxhjuoethw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxaollvqhr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxdgmwqkih.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxdlpalyno.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxfwxwhkly.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxjdbqptxe.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlldllole.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlrdltowy.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxlyappakx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxpvuueuhd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxsapynkly.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxtymctqon.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxvwiltlog.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxwtmjctni.sys (Trojan.Agent) -> Quarantined and deleted successfully.

It's a DNS hijacker rootkit.
Can you post a new DDS log please? I wasn't expecting this.

i am wondering and upset about how could i smudged this much trouble by just a simple use of internet, and wondering who and what the intruder can gain by us:(


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 18:13:12,71 on 25.02.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1589 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\Problem Çözümleme Artıkları\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\dk994s4c.default\extensions\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}\components\FFAlert.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-02-25 17:51 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:40 --d----- C:\Lop SD
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 6,604 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-29 01:08 4 a------- c:\windows\system32\gaopdxcounter

==================== Find3M ====================

2009-02-25 00:09 413,744 a------- c:\windows\system32\perfh01F.dat
2009-02-25 00:09 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 18:13:30,79 ===============

Hello.
See if you still get the Firefox popups now.

If you do, we'll go at it full force. I know the rootkit is present, we can blast it down.

what should i do now? i do not always get popup i sometimes randomly got it ( i am not getting any since last night..)

today i experienced a strange thing before you got online i left the machine for narly 5 minutes and when i came back i can move the mouse cursor freely but cant click on anything, machine vision and keybord was frozen i could just move my mouse cursor and forced to turn off the power button but i sense this is not a big problem.. and is nothing to do with the problems you're solving..

Hmm.
Okay, if there's no problems left and the keyboard and mouse still work, then I think we can say were done.

thank you very very much, you are the best!!!: just want to know that how can i protect myself for future problems?

and after that can we start to work on my sisters machine? if you confirm so i will make a brief statement about situation of her machine and the problems we encounter yesterday and the differencies between yesterday and today..

Hello.
Power down this machine and leave it off, stop any malware getting back on.

Then go onto your sisters machine, and I'll post a prevention speech at the end when where done with her machine.
Please open a new topic as well, this topic is getting too long for me to keep up with.

hi again .. i did everything that you say except '' stop any malware getting back on'' part.. i couldnt understand hat you mean there i just closed my machine and working on her machine now.. i created a new topic called multiple infections and posted a message waiting for your reply..

I have repsonded to your new thread.