multiple infections

hello dear belahzur, just note that i couldn't understand 'stop any malware getting back on.' instruction that you say.. i just turned off my machine.. and now am working on my sisters machine.. do you remember what we've done yesterday? i want to remind the summary situation of this machine..

- this machine was uable to do any internet action although it seems to be no noticable network problem
- there were too many annoying alerts in windows and the machine was working slower then before ( some of the errors ı remember: explorer.exe error, drwatson.exe error scvhost.exe or something like that erors and many others
- after consulting you, i followed the instructions from my machine and transfer the programs to her machine by usb disk and progressed till the LopSD option2 step.. and many annoying and strange actions and errors disappearedand now i can connect to internet and wrok on browser as you permit..
-before you got online early today after your permisson to me to connect from on her machine and surf on safe trusted sites, i encountered two memorable errors one was very annoying an unstopable ''7l3m4x8d6.exe '' error repeating constantly and the other was lpa.exe ( i could mis-remember the name) that appeaed just once..
- after turning off her machine to clean my machine by your invaluable help, returned to her machine and didn't realise any noticable errors tihs time..

the summary of our situations is this..

Hello.
Glad to hear that.
Lets make sure we haven't left anything behind.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-02-01.01) - NTFSx86
Run by usr at 19:36:10,53 on 25.02.2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1254.90.1055.18.511.116 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\LifeView TVR\RecSche.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SMC\SMCWPCIT-G\SMCWCU.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\LifeView TVR\remote.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\usr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride =
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Oturum Açma Yardım Aracı: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Remote] c:\program files\lifeview tvr\Remote.exe
mRun: [RecSche] "c:\program files\lifeview tvr\RecSche.exe"
mRun: [WinDVRCtrl] c:\windows\WDVRCtrl.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SMCWCU] "c:\program files\smc\smcwpcit-g\SMCWCU.exe" -nogui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/TR-TR/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\usr\applic~1\mozilla\firefox\profiles\oyyj043w.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-24 15424]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-24 552064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-20 24652]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-2 892032]
S3 bDMusicb;bDMusicb;c:\docume~1\usr\locals~1\temp\bDMusicb.sys [2004-9-14 31744]
S4 WinSoft Service Controler;WinSoft Service Controler;c:\windows\system32\drivers\WinMgmt.exe [2009-2-19 723968]

=============== Created Last 30 ================

2009-02-24 22:12 --d----- C:\Lop SD
2009-02-24 17:08 0 a------- c:\windows\system32\mapisvc.inf
2009-02-24 17:08 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-24 17:08 298,104 a------- c:\windows\system32\imon.dll
2009-02-24 17:08 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-24 17:08 --d----- c:\program files\ESET
2009-02-23 20:31 26,156 a------- c:\documents and settings\usr\lpex.exe
2009-02-23 18:05 26,156 a------- c:\documents and settings\usr\lpe.exe
2009-02-21 22:55 26,156 a------- c:\documents and settings\usr\7l3m4x8d6.exe
2009-02-21 21:26 73,216 a------- c:\documents and settings\usr\Setxup.exe
2009-02-21 21:25 26,156 a------- c:\documents and settings\usr\ssdswe.exe
2009-02-21 21:24 26,156 a------- c:\documents and settings\usr\deleteme.exe
2009-02-19 16:08 723,968 ---shr-- c:\windows\system32\drivers\WinMgmt.exe
2009-02-17 19:09 26,156 a------- c:\documents and settings\usr\h4d7l3m4x8d6.exe
2009-02-16 16:37 73,216 a------- c:\documents and settings\usr\Setup.exe
2009-02-15 14:03 25,132 a------- c:\documents and settings\usr\explode.exe
2009-02-12 19:26 25,132 a------- c:\documents and settings\usr\ssddshd.exe
2009-02-12 19:25 18,944 a------- c:\documents and settings\usr\sfddshd.exe
2009-02-08 12:27 25,132 a------- c:\documents and settings\usr\sd4dshd.exe
2009-02-07 17:30 --d----- C:\quarantine
2009-02-07 17:29 25,132 a------- c:\documents and settings\usr\srdshd.exe
2009-02-06 18:50 167,936 ---shr-- c:\windows\system32\drivers\services.exe
2009-02-04 16:44 18,944 a------- c:\documents and settings\usr\sdsxxdshd.exe
2009-02-04 11:45 41,004 a------- c:\documents and settings\usr\sxdsxdshd.exe
2009-02-04 11:41 41,004 a------- c:\windows\sxdsxdshd.exe
2009-02-03 18:12 25,132 a------- c:\documents and settings\usr\s2dsxdshd.exe
2009-02-03 18:10 41,004 a------- c:\windows\s2dsxdshd.exe
2009-02-03 18:05 41,004 a------- c:\documents and settings\usr\sdsxdshd.exe
2009-02-02 12:55 49,152 a------- c:\documents and settings\usr\kkkl.exe
2009-01-29 15:46 41,004 a------- c:\windows\sdsxdshd.exe
2009-01-29 15:45 47,192 a------- c:\documents and settings\usr\sxdsdshd.exe
2009-01-27 11:21 81,920 a------- c:\documents and settings\usr\kdjods.exe
2009-01-27 11:20 81,920 a------- c:\documents and settings\usr\kjodxs.exe

==================== Find3M ====================

2009-02-22 21:45 303,230 a------- c:\windows\system32\perfh01F.dat
2009-02-22 21:45 46,628 a------- c:\windows\system32\perfc01F.dat
2009-02-01 00:18 47,192 a------- c:\documents and settings\usr\sdsdsd.exe
2009-01-30 00:07 49,196 a------- c:\documents and settings\usr\sdsdshd.exe
2009-01-25 19:12 33,366 a------- c:\documents and settings\usr\Exrexdr.exe
2009-01-25 18:19 33,366 a------- c:\documents and settings\usr\Exredr2.exe
2009-01-25 18:19 33,366 a------- c:\documents and settings\usr\Exxrxedr.exe
2009-01-23 23:24 49,196 a------- c:\documents and settings\usr\Exredr.exe
2009-01-21 20:47 4,014 a------- c:\documents and settings\usr\taskmger.exe
2009-01-21 15:19 49,196 a------- c:\documents and settings\usr\xsdsdsd.exe
2009-01-20 22:19 62,976 a------- c:\documents and settings\usr\asdsdsd.exe
2009-01-16 21:35 74,256 a------- c:\documents and settings\usr\Rkhaa.exe
2006-11-21 18:38 18,096 a------- c:\docume~1\usr\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 19:36:37,45 ===============

Oh my, this is bad.
We have to use Combofix here, this tool is extemely powerful, so when reading the instructions for it, read very carefully.

First though, I see Viewpoint is present.

Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Ask Toolbar
  
• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Using Combofix

• Download combofix from here
  Link 1
  Link 2
  
• Please disable your local AV (Anti-virus) See HERE for how to disable your AV. (Eset Nod32)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

i couldnt remove 'ask toolbar' it says something like cant remove or removed before in my language.. i must exit for 20 minutes and come back.. is there anything i can do to remove those viewpoint or ask tool bar etc..? or do you want me to neglect this step and go further?

Okay, skip the removing and we'll have CF remove it for us when we remove the malware.

OK i came back again.. when i turned on the pc again i encountered explorer.exe error and after that strange box opened on the left upper corner with the title personal adjustments ( translated from my language) and saw some recyler and restore stuff there..now i'm continueing to follow your instructions given above..

i've downloaded CF and diasabled the nod32 but CF insists that antivirus is still active so i didnt go further what do you advise to be sure that nod32 is inactive ?

Hmm.
Is nod32 paid for? if not, we can uninstall it while we do this.

no i was using trial version.. ok i am unistalling nod32 and stay without anti-virus till your next instruction.. and after that will try to go further with CF tool..

Okay, uninstall it, but DO NOT surf the net.
Then run CF.

i got mad when i noticed that i couldn't even enter the Add/Remove Programs section:-( i uninstalled it by programs-eset-nod32-uninstall and the reboot the machine.. now hopefully CF will take care of my pc..

i have finalised the scan, but i didn't encounter the recovery console part..

ComboFix 09-02-24.02 - usr 2009-02-25 21:04:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.267 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\usr\kkkl.exe
c:\documents and settings\usr\s2dsxdshd.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\IE4 Error Log.txt
c:\windows\s2dsxdshd.exe
c:\windows\sdsxdshd.exe
c:\windows\system32\drivers\services.exe
c:\windows\Temp\23370.exe
c:\windows\Temp\60360.exe
c:\windows\Temp\61312.exe
c:\windows\Temp\84547.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-23 20:31 . 2009-02-24 17:14 26,156 --a------ c:\documents and settings\usr\lpex.exe
2009-02-23 18:05 . 2009-02-25 20:56 26,156 --a------ c:\documents and settings\usr\lpe.exe
2009-02-21 22:55 . 2009-02-25 20:59 26,156 --a------ c:\documents and settings\usr\7l3m4x8d6.exe
2009-02-21 21:26 . 2009-02-24 20:17 73,216 --a------ c:\documents and settings\usr\Setxup.exe
2009-02-21 21:25 . 2009-02-22 21:45 26,156 --a------ c:\documents and settings\usr\ssdswe.exe
2009-02-21 21:24 . 2009-02-22 21:49 26,156 --a------ c:\documents and settings\usr\deleteme.exe
2009-02-19 16:08 . 2009-02-19 16:08 723,968 -r-hs---- c:\windows\system32\drivers\WinMgmt.exe
2009-02-17 19:09 . 2009-02-25 21:03 26,156 --a------ c:\documents and settings\usr\h4d7l3m4x8d6.exe
2009-02-16 16:37 . 2009-02-25 21:03 73,216 --a------ c:\documents and settings\usr\Setup.exe
2009-02-15 14:03 . 2009-02-15 20:50 25,132 --a------ c:\documents and settings\usr\explode.exe
2009-02-12 19:26 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\ssddshd.exe
2009-02-12 19:25 . 2009-02-12 21:31 18,944 --a------ c:\documents and settings\usr\sfddshd.exe
2009-02-08 12:27 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\sd4dshd.exe
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine
2009-02-07 17:29 . 2009-02-16 16:56 25,132 --a------ c:\documents and settings\usr\srdshd.exe
2009-02-04 16:44 . 2009-02-16 16:46 18,944 --a------ c:\documents and settings\usr\sdsxxdshd.exe
2009-02-04 11:45 . 2009-02-04 12:08 41,004 --a------ c:\documents and settings\usr\sxdsxdshd.exe
2009-02-04 11:41 . 2009-02-04 11:41 41,004 --a------ c:\windows\sxdsxdshd.exe
2009-02-03 18:05 . 2009-02-04 21:54 41,004 --a------ c:\documents and settings\usr\sdsxdshd.exe
2009-01-29 15:45 . 2009-01-29 16:05 47,192 --a------ c:\documents and settings\usr\sxdsdshd.exe
2009-01-27 11:21 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kdjods.exe
2009-01-27 11:20 . 2009-01-27 11:35 81,920 --a------ c:\documents and settings\usr\kjodxs.exe
2009-01-25 18:32 . 2009-01-25 19:12 33,366 --a------ c:\documents and settings\usr\Exrexdr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exxrxedr.exe
2009-01-25 17:44 . 2009-01-25 18:19 33,366 --a------ c:\documents and settings\usr\Exredr2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 20:37 --------- d-----w c:\program files\Viewpoint
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-22 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\GamesBar
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-31 22:18 47,192 ----a-w c:\documents and settings\usr\sdsdsd.exe
2009-01-29 22:07 49,196 ----a-w c:\documents and settings\usr\sdsdshd.exe
2009-01-23 21:24 49,196 ----a-w c:\documents and settings\usr\Exredr.exe
2009-01-21 18:47 4,014 ----a-w c:\documents and settings\usr\taskmger.exe
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-21 13:19 49,196 ----a-w c:\documents and settings\usr\xsdsdsd.exe
2009-01-20 20:19 62,976 ----a-w c:\documents and settings\usr\asdsdsd.exe
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2009-01-16 19:35 74,256 ----a-w c:\documents and settings\usr\Rkhaa.exe
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-20 24652]
R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
S4 WinSoft Service Controler;WinSoft Service Controler;c:\windows\system32\drivers\WinMgmt.exe [2009-02-19 723968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
\Shell\AutoRun\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
\Shell\open\command - f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL win32s.exe
\Shell\Aç\command - F:\win32s.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\r00t.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\FiX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinDVRCtrl - c:\windows\WDVRCtrl.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 21:07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"



Completion time: 2009-02-25 21:09:01
ComboFix-quarantined-files.txt 2009-02-25 19:08:59

Pre-Run: 52.270.600.192 bayt boş
Post-Run: 54,570,307,584 bayt boş

172 --- E O F --- 2009-01-16 16:27:44

Okay, lets finish this off.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service
WinSoft Service Controler

File::
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\deleteme.exe
c:\windows\system32\drivers\WinMgmt.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\windows\sxdsxdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\Rkhaa.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\GamesBar
c:\restore

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\System\\taskmger.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f52345-e246-11dd-a532-00173176301a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e68a4e8e-1086-11dd-a460-00173176301a}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1D187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F187332}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{23KLN5J0-4OPM-11WE-AAX5-24EF1F387232}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987192}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-24CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-34CX1C987132}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187562}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

the resulting log:

ComboFix 09-02-24.02 - usr 2009-02-25 21:41:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.511.195 [GMT 2:00]
Running from: c:\documents and settings\usr\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\usr\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\recycler\k-1-3542-4232123213-7676767-8888886\root.exe
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe
f:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe
F:\win32s.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\GamesBar
c:\documents and settings\All Users\Application Data\GamesBar\about.gif
c:\documents and settings\All Users\Application Data\GamesBar\action.gif
c:\documents and settings\All Users\Application Data\GamesBar\arcade.gif
c:\documents and settings\All Users\Application Data\GamesBar\buy.gif
c:\documents and settings\All Users\Application Data\GamesBar\call_of_atlantis16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\cards.gif
c:\documents and settings\All Users\Application Data\GamesBar\deals.gif
c:\documents and settings\All Users\Application Data\GamesBar\download.gif
c:\documents and settings\All Users\Application Data\GamesBar\dream_day_wedding_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\feedback.gif
c:\documents and settings\All Users\Application Data\GamesBar\help.gif
c:\documents and settings\All Users\Application Data\GamesBar\highlight.gif
c:\documents and settings\All Users\Application Data\GamesBar\holly_a_christmas_tale_deluxe16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\house_of_wonders_bch16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\interpol_2_most_wanted16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\miss_teri_tale_2_vote_4_me16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\multiplayer.gif
c:\documents and settings\All Users\Application Data\GamesBar\mygames.gif
c:\documents and settings\All Users\Application Data\GamesBar\newGames.gif
c:\documents and settings\All Users\Application Data\GamesBar\oberonconfig.xm_
c:\documents and settings\All Users\Application Data\GamesBar\obSearchHistory.dat
c:\documents and settings\All Users\Application Data\GamesBar\onload\loading.gif
c:\documents and settings\All Users\Application Data\GamesBar\partner.gif
c:\documents and settings\All Users\Application Data\GamesBar\puzzle.gif
c:\documents and settings\All Users\Application Data\GamesBar\search.gif
c:\documents and settings\All Users\Application Data\GamesBar\search_yahoo.gif
c:\documents and settings\All Users\Application Data\GamesBar\season_match_216x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\sendafriend.gif
c:\documents and settings\All Users\Application Data\GamesBar\trial.gif
c:\documents and settings\All Users\Application Data\GamesBar\Turbo_Fiesta16x16.gif
c:\documents and settings\All Users\Application Data\GamesBar\uninstall.gif
c:\documents and settings\All Users\Application Data\GamesBar\update.gif
c:\documents and settings\All Users\Application Data\GamesBar\webgame.gif
c:\documents and settings\usr\7l3m4x8d6.exe
c:\documents and settings\usr\asdsdsd.exe
c:\documents and settings\usr\deleteme.exe
c:\documents and settings\usr\explode.exe
c:\documents and settings\usr\Exredr.exe
c:\documents and settings\usr\Exredr2.exe
c:\documents and settings\usr\Exrexdr.exe
c:\documents and settings\usr\Exxrxedr.exe
c:\documents and settings\usr\h4d7l3m4x8d6.exe
c:\documents and settings\usr\kdjods.exe
c:\documents and settings\usr\kjodxs.exe
c:\documents and settings\usr\lpe.exe
c:\documents and settings\usr\lpex.exe
c:\documents and settings\usr\Rkhaa.exe
c:\documents and settings\usr\sd4dshd.exe
c:\documents and settings\usr\sdsdsd.exe
c:\documents and settings\usr\sdsdshd.exe
c:\documents and settings\usr\sdsxdshd.exe
c:\documents and settings\usr\sdsxxdshd.exe
c:\documents and settings\usr\Setup.exe
c:\documents and settings\usr\Setxup.exe
c:\documents and settings\usr\sfddshd.exe
c:\documents and settings\usr\srdshd.exe
c:\documents and settings\usr\ssddshd.exe
c:\documents and settings\usr\ssdswe.exe
c:\documents and settings\usr\sxdsdshd.exe
c:\documents and settings\usr\sxdsxdshd.exe
c:\documents and settings\usr\taskmger.exe
c:\documents and settings\usr\xsdsdsd.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\recycle\D-0-060-0000000000-1111111-2222222\fix.exe
c:\restore
c:\restore\c-1-3-64-8794238531-8742492-9897532\Desktop.ini
c:\restore\c-1-3-64-8794238531-8742492-9897532\Sys32.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\Desktop.ini
c:\restore\k-1-3542-4232123213-7676767-8888886\JUZZ.exe
c:\restore\k-1-3542-4232123213-7676767-8888886\X0R.exe
c:\windows\sxdsxdshd.exe
c:\windows\system32\drivers\WinMgmt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Legacy_WINSOFT_SERVICE_CONTROLER
-------\Service_Viewpoint Manager Service
-------\Service_WinSoft Service Controler


((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 22:12 . 2009-02-24 22:39 d-------- C:\Lop SD
2009-02-24 17:08 . 2009-02-25 20:54 d-------- c:\program files\ESET
2009-02-24 17:08 . 2009-02-24 17:08 0 --a------ c:\windows\system32\mapisvc.inf
2009-02-07 17:30 . 2009-02-18 20:33 d-------- C:\quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 19:54 --------- d-----w c:\program files\Common Files\AOL
2009-02-06 16:30 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-21 15:51 --------- d-----w c:\documents and settings\usr\Application Data\PlayFirst
2009-01-21 15:51 --------- d-----w c:\documents and settings\All Users\Application Data\Reflexive
2009-01-21 15:50 --------- d-----w c:\program files\PlayFirst
2009-01-21 15:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-18 17:59 --------- d-----w c:\program files\PhotoScape
2006-11-21 16:38 18,096 ----a-w c:\documents and settings\usr\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-25_21.08.15,79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Remote"="c:\program files\LifeView TVR\Remote.exe" [2006-05-09 212992]
"RecSche"="c:\program files\LifeView TVR\RecSche.exe" [2006-01-04 454656]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SMCWCU"="c:\program files\SMC\SMCWPCIT-G\SMCWCU.exe" [2006-03-14 303104]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NodLogin"="c:\program files\Eset\nodlogin.exe" [2008-07-29 358448]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-09-22 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:35 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 LVHybrid;LVHybrid service;c:\windows\system32\drivers\LVHybrid.sys [2006-10-02 892032]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\usr\LOCALS~1\Temp\bDMusicb.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.tr/
uInternet Settings,ProxyOverride =
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\usr\Application Data\Mozilla\Firefox\Profiles\oyyj043w.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 21:44:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote = c:\program files\LifeView TVR\Remote.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-02-25 21:47:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 19:47:20
ComboFix2.txt 2009-02-25 19:09:03

Pre-Run: 54.549.286.912 bayt boş
Post-Run: 54,490,476,544 bayt boş

234 --- E O F --- 2009-01-16 16:27:44

did i done everything correct?

Hello.
Yep, just these last things to do.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusDisableNotify"=dword:00000000
  "UpdatesDisableNotify"=dword:00000000
  "AntiVirusOverride"=dword:00000000
  "FirewallOverride"=dword:00000000
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Now install a new AV.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is everything now?

CF is unistalled on the last step is this ok?
everything seems to be normal know can i give back pc to my sister now? after some use we can make a better feedback about the machine a few days later.. i don't know how to thank you!!

if everything is done, can you give me some brief infomation that whaht did happen to this machine and what caused this.. also you've told that (about my pc) i infected from messenger plus? are you sure about that? cos i dont use plus extensions.. are we both safe now? especially form this lop kind problems that you've mentioned before.. may you give info abut both computers seperately?

now i am returnig to my machine.. Glad that you're always here to help us, god bless you:))

Don't know if you used Messenger Plus, but your sister did.

From CF log:

((((( Find3m )))))
c:\program files\Messenger Plus! Live

i returned to my pc.. yes i am sure my sister still uses it.. do you have any advises about that? is it necessary to run CF on my pc? or finally is it time to relax:)?

If yours and your sisters machine is fine now, then I'd say you can relax.
Let me know how everything is in your next post.

my machine seems to be working fine, i will ask my sister is everything turned to normal when i'll see her in this evening.. thank you again for everything you've done for me.. I've started to support you on facebook and adverting GP to my friends..

you've told me that you post a brief messge that what happened to our machines, what is the caouse of the damage, and how can we protect ourselves for future damages.. for example do you want me to post DDS or Hijackthis logs periodically, once a week or so?

another question i want to ask you is about the trojans i've deleted via my antivirus before the consultion that i've made it to you.. i've cleaned nearly 50 Kryptik.GH, Kryptik.GF, KRyptik.GA , Kryptik.DQ tans so on kryptik stuff what were those? and am i carrying any risks now?

i am more that happy to say that both of our machines work very well now :Clapping:

Hello.
The Kryptic files I did alittle research on today, they appear mostly in %temp%, which aren't dangerous.

Glad the machines are fine. Next time you/your sister installs Plus!, watch what it says because the 2 options will either install cleanly or restore this infection.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

thank you for your recommendations i will consider and apply them slowly when i have free time.. can i be sure that this topic wil remain open ?

It will remain open for about 7-10 days.
After 10 days, it will be closed.

If you want it re-opened, PM me or Doctor_Inferno.
If not, then just start a new topic.

hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(

as a resuşt i need your invaluable helps again:(( do yuo want me to post the dds log or hijackthis log ?

DDS log please.

hi again..
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:44:29,56 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1553 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Problem Çözümleme Artıkları\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
uInternet Settings,ProxyServer = libpxy.cc.yildiz.edu.tr:81
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dk994s4c.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-02 16:42 268 a---h--- C:\sqmdata03.sqm
2009-03-02 16:42 244 a---h--- C:\sqmnoopt03.sqm
2009-03-01 23:58 268 a---h--- C:\sqmdata02.sqm
2009-03-01 23:58 244 a---h--- C:\sqmnoopt02.sqm
2009-03-01 23:19 268 a---h--- C:\sqmdata01.sqm
2009-03-01 23:19 244 a---h--- C:\sqmnoopt01.sqm
2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 23:45 268 a---h--- C:\sqmdata00.sqm
2009-02-26 23:45 244 a---h--- C:\sqmnoopt00.sqm
2009-02-25 17:51 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 16:40 --d----- C:\Lop SD
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 16:44:55,87 ===============

Hello.
This log looks fine, there's no real signs of malware, only leftovers.
What problems is this machine having?

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sqmdata*.sqm
  C:\sqmnoopt*.sqm
  C:\Lop SD
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

as i mention before: ''hello my saviour again.. i am too upset to say that i'm wrting from my sis's machine because the similiar problems that i've encountered on this machine has now damaged my laptop.. ıt means that i can't do anything on internet at the moment cant connect to anysite, or msn etc..

everything was working fine yesterday night for me untill my father took my laptop and nt more than 5 minutes past suddenly he revealed that he can't even log in to hotmial.com.. i am really jaded with him because i can predict that he always try to connect those bad porn sites.. i suppose the damage is maybe from saturday night.. ( cos i wasnt at home and probably he took my laptop an d done strange things.. but the machine seemed to be fine on full sunday till the night that i gave the machine to him..

the most common message that i receive when i try to connect mozilla is somthing like ' web prescription: tr.start2.mozilla.com sever is answering too late..'' ( i 've tried to translate to english)

note that: i had installed the spybotS&D and outpost firewall to mya laptop coouldn't avoid the damage:(''
could the source of the damage occur when he opens his account? then affects me?

Maybe that's why DDS gave me nothing.
The malware is on the other account of the machine and just appears on yours without the files.

Your account is fine, can you logon to the other account and post a DDS log from that account.

i think that will prove that i am innocent:-) we are curing the macihne and he makes it ill easily:((

========== FILES ==========
C:\sqmdata00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\Lop SD moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03022009_171126

now i will open his account and post the dds log..

DDS (Ver_09-02-01.01) - NTFSx86
Run by Moiz at 17:20:24,31 on 02.03.2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1254.90.1055.18.2046.1599 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nodlogin.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\cem sorun giderme\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.tr/
mDefault_Page_URL = hxxp://www.google.com.tr/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NodLogin] c:\program files\eset\nodlogin.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Outpost Firewall] "c:\program files\agnitum\outpost firewall 1.0\outpost.exe" /waitservice
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\progra~1\balang~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Microsoft Excel'e &Ver - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moiz\applic~1\mozilla\firefox\profiles\6xuxhze4.default\

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2009-2-8 15424]
R1 VFILT;Outpost Firewall Kernel Driver;c:\progra~1\agnitum\outpos~1.0\kernel\2000\FILTNT.SYS [2009-3-1 90368]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2009-2-8 552064]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\ADBLOCK.DLL [2009-3-1 15552]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\CONTENT.DLL [2009-3-1 3904]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\DNSCACHE.DLL [2009-3-1 6144]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\FTPFILT.DLL [2009-3-1 6304]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTMLFILT.DLL [2009-3-1 7776]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\HTTPFILT.DLL [2009-3-1 9152]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\IMAPFILT.DLL [2009-3-1 7072]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\MAILFILT.DLL [2009-3-1 9920]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\NNTPFILT.DLL [2009-3-1 6656]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\POP3FILT.DLL [2009-3-1 7136]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);c:\progra~1\agnitum\outpos~1.0\kernel\PROTECT.DLL [2009-3-1 15584]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Dönüştürücüsü;c:\windows\system32\drivers\ADM8511.SYS [2008-11-10 20160]

=============== Created Last 30 ================

2009-03-01 21:53 --d----- c:\program files\common files\Agnitum Shared
2009-03-01 21:53 --d----- c:\program files\Agnitum
2009-02-27 23:48 --d----- c:\program files\Spybot - Search & Destroy
2009-02-27 23:48 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-26 22:36 --d----- c:\docume~1\moiz\applic~1\BSplayer
2009-02-25 17:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-25 17:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-25 17:51 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 17:51 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-25 00:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-25 00:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-22 00:49 --d----- c:\docume~1\moiz\applic~1\Windows Search
2009-02-21 16:24 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-21 16:15 --d----- c:\docume~1\alluse~1\applic~1\KONAMI
2009-02-21 16:11 --d----- c:\program files\KONAMI
2009-02-15 17:59 a-dshr-- C:\autorun.inf
2009-02-08 21:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-08 21:07 512,096 a------- c:\windows\system32\drivers\amon.sys
2009-02-08 21:07 298,104 a------- c:\windows\system32\imon.dll
2009-02-08 21:07 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2009-02-02 20:45 230 a------- c:\windows\system32\spupdsvc.inf

==================== Find3M ====================

2009-03-01 22:57 413,744 a------- c:\windows\system32\perfh01F.dat
2009-03-01 22:57 82,292 a------- c:\windows\system32\perfc01F.dat

============= FINISH: 17:20:41,90 ===============

could it be a lop problem again? cos the sypmtoms is similar to the one that you healed previous week on my sistes machine the internet is unavaliable although ir seemsto be no connection problems..

when trying to surf it always says something like network prescription: mozilla server is anwering too late.. below that it shows some reasons may be the outpost firewall 's wrong settings could couse such problem i don't know?

The log looks okay.
We can check if it's LOP, but I doubt it is.

The problem could be the firewall.
Uninstall it for now and see if it repairs it.

yes you were right! it turned to normal after unistalling the firewall..(I ve checked the both accounts) am i supposed to do somethnig else?

while checking his account i saw many bad sites that he usulayy uses probably.. do you advise me to delete the temp folder of his, to prevent future threats?

unless i don't know how to use a firewall well i think i shouldn't use it am i right?
and one more question i was using nod32 cracked version as you could see from the logs do you advise me to use avira personal free instead of nod32 cracked?

and finally are both spybotS&D and firefox addons enough for my defence?

Sticking with Windows firewall should be enough providing you surf safely.
The Firefox add-ons will protect you.

Yeah, uninstall nod32 and install Avira.

ok i will use avira form now on..

how can i be sure that wşndows firewall is open and protecting me properly?
it seems closed and i cant open it from windows security center!?

Windows would alert you if the firewall wasn't switched on.

ok thank you for everything you've done for me:) i hope you aren't jaded of dealing with my problems again anad again..

hi again this time i haven't got any problems with the machine just searching for Piranha Webcam Driver model PC5000 can you help me?

Maybe.
Please open a thread in the software area for that, since this is the malware removal section.