trojan problem

[chelseagle]

ComboFix 08-06-20.4 - Filiz 2008-06-26 23:50:04.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1254.1.1055.18.95 [GMT 3:00]
Running from: C:\Documents and Settings\Filiz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Filiz\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\system32\akjsdkaq.dll
C:\WINDOWS\system32\arjreler.dll
C:\WINDOWS\system32\yzztkmsn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\AcPlugin.dll
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\ddserh.dll
C:\WINDOWS\system32\drivers\cdralw.sys
C:\WINDOWS\system32\wymxajkl.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRALW
-------\Service_cdralw


((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Program Files\Avira
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-26 23:13 . 2008-06-26 23:37 <DIR> d-------- C:\avira registrycleaner
2008-06-26 23:12 . 2008-02-26 11:19 1,024 --a------ C:\hbedv.key
2008-06-26 22:32 . 2008-06-26 23:45 18,048 --a------ C:\WINDOWS\system32\drivers\eth8023.sys
2008-06-26 21:18 . 2008-06-26 22:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-26 17:45 . 2008-06-26 17:45 28,672 --a------ C:\WINDOWS\system32\qflxs.dll
2008-06-26 17:45 . 2008-06-26 17:45 24,576 --a------ C:\WINDOWS\system32\womsoy.dll
2008-06-26 17:45 . 2008-06-26 17:45 24,576 --a------ C:\WINDOWS\system32\hellodon.dll
2008-06-26 17:44 . 2008-06-26 17:44 24 --a------ C:\WINDOWS\system32\ngjxakin.sys
2008-06-26 17:41 . 2008-06-26 17:41 28,672 --a------ C:\WINDOWS\system32\weblso.dll
2008-06-25 20:01 . 2008-06-25 20:01 <DIR> d-------- C:\Documents and Settings\Filiz\DoctorWeb
2008-06-25 15:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-24 16:10 . 2008-06-24 16:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-24 15:28 . 2008-06-24 16:32 <DIR> d-------- C:\SDFix
2008-06-24 15:22 . 2008-06-24 15:22 78 --a------ C:\WINDOWS\WININIT.INI
2008-06-24 15:06 . 2008-06-24 22:22 <DIR> d-------- C:\Program Files\Soulseek
2008-06-24 10:04 . 2008-06-24 10:04 <DIR> d-------- C:\Deckard
2008-06-23 21:03 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-23 21:03 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-23 21:03 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-23 21:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-23 21:03 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-23 21:03 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-23 21:03 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-23 21:03 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-23 21:03 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-22 11:09 . 2007-06-20 15:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-06-21 18:47 . 2008-06-21 18:48 <DIR> d-------- C:\Program Files\Panda Security
2008-06-21 09:21 . 2008-06-21 09:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-20 12:50 . 2008-06-26 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 12:50 . 2008-06-20 12:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 09:30 . 2008-06-14 20:33 272,000 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 01:26 . 2008-05-08 17:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-09 09:44 . 2008-06-09 09:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 11:24 . 2001-07-01 17:30 112,640 --a------ C:\WINDOWS\lsb_un20.exe
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-27 17:17 . 2008-05-27 17:17 <DIR> d-------- C:\Program Files\Defraggler
2008-05-26 10:15 . 2008-05-26 10:23 <DIR> d-------- C:\Program Files\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 12:50 --------- d-----r C:\Program Files\Java
2008-06-21 15:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 17:33 272,000 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 08:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 18:02 124,104 -c--a-w C:\Documents and Settings\Filiz\Application Data\GDIPFONTCACHEV1.DAT
2008-06-01 09:03 --------- d-----w C:\Program Files\PowerArchiver
2008-05-25 17:58 --------- d-----w C:\Program Files\sfArk
2008-05-24 13:41 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-22 11:04 30,946 ----a-w C:\WINDOWS\system32\drivers\Partizan.sys
2008-05-11 13:03 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Microsoft Games
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 18:52 --------- d-----r C:\Program Files\SpywareBlaster
2008-05-04 07:18 --------- d-----w C:\Program Files\WinAce
2008-04-29 13:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Registry Booster
2008-04-28 17:07 --------- d-----w C:\Program Files\Yahoo!
2008-04-28 17:03 --------- d-----w C:\Program Files\CCleaner
2008-04-28 10:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-28 04:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-04-27 14:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Disney Interactive Studios
2008-04-14 16:00 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:00 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 16:00 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:00 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:00 147,968 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:00 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:00 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-01-30 10:14 113 --sh--w C:\Program Files\Common Files\Desktop.ini
2004-08-08 14:44 520 --sh--w C:\WINDOWS\system32\dtzfajke.sys
2004-08-08 14:44 520 --sh--w C:\WINDOWS\system32\erjxakin.sys
2004-08-08 14:45 520 --sh--w C:\WINDOWS\system32\igxyaloe.sys
2004-08-08 14:40 520 --sh--w C:\WINDOWS\system32\iujraler.sys
2004-08-08 17:57 536,072 --sh--w C:\WINDOWS\system32\nhmxdjkl.dll
2004-08-08 14:39 520 --sh--w C:\WINDOWS\system32\pzdyapaw.sys
2004-08-08 17:57 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 14:40 520 --sh--w C:\WINDOWS\system32\sbsqakol.sys
2004-08-08 14:45 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 14:44 520 --sh--w C:\WINDOWS\system32\snfybbyt.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-26_ 8.42.03.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-26 18:19:16 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-06-26 18:19:17 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-06-26 18:19:17 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-06-26 18:19:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-06-26 18:19:22 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-06-26 18:19:18 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-06-26 05:37:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-26 20:55:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-01-21 15:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 15:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 10:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 07:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47AC9076-C898-B098-D098-A18319080974}]
2004-08-08 20:57 536072 ---hs---- C:\WINDOWS\system32\nhmxdjkl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-28 23:02 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"= C:\WINDOWS\system32\zgrjdx.dll [ ]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= C:\WINDOWS\system32\wyrsdj.dll [ ]
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"= C:\WINDOWS\system32\ddserh.dll [ ]
"{47AC9076-C898-B098-D098-A18319080974}"= C:\WINDOWS\system32\nhmxdjkl.dll [2004-08-08 20:57 536072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=nhmxdjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"= myokent.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon]
C:\Documents and Settings\All Users\Application Data\microsoft\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 19:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-04-28 23:03 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-04-28 23:03 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-04-28 23:03 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-28 23:02 1658592 C:\PROGRA~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2008-04-28 23:02 1077327 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-28 23:02 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Yakınlaştırma Yardımcı Programı\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a--c--- 2008-04-28 23:02 1089536 C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PurgProService"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SONY_MEDIAMGR"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17582:TCP"= 17582:TCP:NortonAV
"18910:TCP"= 18910:TCP:NortonAV
"17286:TCP"= 17286:TCP:NortonAV
"12446:TCP"= 12446:TCP:NortonAV
"18062:TCP"= 18062:TCP:NortonAV
"18101:TCP"= 18101:TCP:NortonAV
"4662:TCP"= 4662:TCP:filesharing
"4672:UDP"= 4672:UDP:filesharing2
"13064:TCP"= 13064:TCP:oldnortowemule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 18:11]
R1 SMBHC;Microsoft SM Yolu Ana Denetleyici Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 23:57]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2004-12-10 19:12]
R3 SMBBATT;Microsoft Akıllı Pil Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-13 21:36]
S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys [2008-06-26 23:45]
S3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 19:29]
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2004-08-18 18:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c153f831-6be2-11da-aef8-806d6172696f}]
\shell\play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 14:55:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 23:56:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\wymxajkl.sys 24 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
.
**************************************************************************
.
Completion time: 2008-06-27 0:01:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-26 21:01:41
ComboFix2.txt 2008-06-26 17:35:02
ComboFix3.txt 2008-06-26 13:45:21
ComboFix4.txt 2008-06-26 12:14:57
ComboFix5.txt 2008-06-26 05:42:38

19 Dizin 3,272,679,424 bayt boş
23 Dizin 3,269,419,008 bayt boŸ

248 --- E O F --- 2008-06-22 11:10:20





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:04:07, on 27/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: nhmxdjkl.dll - {47AC9076-C898-B098-D098-A18319080974} - C:\WINDOWS\system32\nhmxdjkl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ara?tyr - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_32.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O20 - AppInit_DLLs: nhmxdjkl.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5057 bytes

[TheBruce1]

Hello again

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

GXB Dialer 100001

============

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: nhmxdjkl.dll - {47AC9076-C898-B098-D098-A18319080974} - C:\WINDOWS\system32\nhmxdjkl.dll
O20 - AppInit_DLLs: nhmxdjkl.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

Please remember to close all other windows, including browsers then click Fix checked.

============

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Driver::
JavaView
Rootkit::
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\wymxajkl.sys
File::
C:\WINDOWS\system32\hmsdvf.dll
C:\WINDOWS\system32\lpmxajkl.exe
C:\WINDOWS\system32\nhmxdjkl.dll
C:\WINDOWS\system32\tuker.dll
C:\WINDOWS\system32\weblsok.exe
C:\WINDOWS\system32\qflxs.dll
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\hellodon.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\weblso.dll
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\nhmxdjkl.dll
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\sbsqakol.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{45AADFAA-DD36-42AB-83AD-0521BBF58C24}"=-
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"=-
"{A9895933-6636-4281-BC58-EE6DE2AF96E3}"=-
"{47AC9076-C898-B098-D098-A18319080974}"=-

Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=========
Logs Required
C:\Combofix.txt
Hijackthis Log

[chelseagle]

I couldnt uninstall gxb dialer.It said cannot reach D:/MULTIMEDIA .I tried with cccleaner,it couldnt also.I deleted it but it just got rid of the uninstaller

ComboFix 08-06-20.4 - Filiz 2008-06-27 8:26:43.8 - NTFSx86
Running from: C:\Documents and Settings\Filiz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Filiz\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\hellodon.dll
C:\WINDOWS\system32\hmsdvf.dll
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\lpmxajkl.exe
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\nhmxdjkl.dll
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\qflxs.dll
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\sbsqakol.sys
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\tuker.dll
C:\WINDOWS\system32\weblso.dll
C:\WINDOWS\system32\weblsok.exe
C:\WINDOWS\system32\womsoy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\drivers\cdralw.sys
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\dtzfajke.sys
C:\WINDOWS\system32\ergfwe.dll
C:\WINDOWS\system32\erjxakin.sys
C:\WINDOWS\system32\ghjyer.dll
C:\WINDOWS\system32\hellodon.dll
C:\WINDOWS\system32\igxyaloe.sys
C:\WINDOWS\system32\iujraler.sys
C:\WINDOWS\system32\jkjkll.dll
C:\WINDOWS\system32\lariytrz.cfg
C:\WINDOWS\system32\lariytrz.dll
C:\WINDOWS\system32\ngjxakin.sys
C:\WINDOWS\system32\nhmxdjkl.dll
C:\WINDOWS\system32\pzdyapaw.sys
C:\WINDOWS\system32\qflxs.dll
C:\WINDOWS\system32\rnmxajkl.sys
C:\WINDOWS\system32\sbsqakol.sys
C:\WINDOWS\system32\sergy.dll
C:\WINDOWS\system32\smdsbsrv.sys
C:\WINDOWS\system32\snfybbyt.sys
C:\WINDOWS\system32\weblso.dll
C:\WINDOWS\system32\womsoy.dll
C:\WINDOWS\system32\wymxajkl.sys
C:\WINDOWS\system32\wyrsdj.dll
C:\WINDOWS\system32\zdbdb.cfg
C:\WINDOWS\system32\zdbdb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRALW
-------\Service_cdralw


((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 08:02 . 2008-06-27 08:02 11,264 --a------ C:\WINDOWS\system32\hellodonk.exe
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Program Files\Avira
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-26 23:13 . 2008-06-26 23:37 <DIR> d-------- C:\avira registrycleaner
2008-06-26 23:12 . 2008-02-26 11:19 1,024 --a------ C:\hbedv.key
2008-06-26 21:18 . 2008-06-26 22:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-25 20:01 . 2008-06-25 20:01 <DIR> d-------- C:\Documents and Settings\Filiz\DoctorWeb
2008-06-25 15:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-24 16:10 . 2008-06-24 16:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-24 15:28 . 2008-06-24 16:32 <DIR> d-------- C:\SDFix
2008-06-24 15:22 . 2008-06-24 15:22 78 --a------ C:\WINDOWS\WININIT.INI
2008-06-24 15:06 . 2008-06-24 22:22 <DIR> d-------- C:\Program Files\Soulseek
2008-06-24 10:04 . 2008-06-24 10:04 <DIR> d-------- C:\Deckard
2008-06-23 21:03 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-23 21:03 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-23 21:03 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-23 21:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-23 21:03 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-23 21:03 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-23 21:03 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-23 21:03 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-23 21:03 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-22 11:09 . 2007-06-20 15:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-06-21 18:47 . 2008-06-21 18:48 <DIR> d-------- C:\Program Files\Panda Security
2008-06-21 09:21 . 2008-06-21 09:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-20 12:50 . 2008-06-26 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 12:50 . 2008-06-20 12:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 09:30 . 2008-06-14 20:33 272,000 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 01:26 . 2008-05-08 17:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-09 09:44 . 2008-06-09 09:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 11:24 . 2001-07-01 17:30 112,640 --a------ C:\WINDOWS\lsb_un20.exe
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-27 17:17 . 2008-05-27 17:17 <DIR> d-------- C:\Program Files\Defraggler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 12:50 --------- d-----r C:\Program Files\Java
2008-06-21 15:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 17:33 272,000 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 08:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 18:02 124,104 -c--a-w C:\Documents and Settings\Filiz\Application Data\GDIPFONTCACHEV1.DAT
2008-06-01 09:03 --------- d-----w C:\Program Files\PowerArchiver
2008-05-26 07:23 --------- d-----w C:\Program Files\Incomplete
2008-05-25 17:58 --------- d-----w C:\Program Files\sfArk
2008-05-24 13:41 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-22 11:04 30,946 ----a-w C:\WINDOWS\system32\drivers\Partizan.sys
2008-05-11 13:03 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Microsoft Games
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 18:52 --------- d-----r C:\Program Files\SpywareBlaster
2008-05-04 07:18 --------- d-----w C:\Program Files\WinAce
2008-04-29 13:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Registry Booster
2008-04-28 17:07 --------- d-----w C:\Program Files\Yahoo!
2008-04-28 17:03 --------- d-----w C:\Program Files\CCleaner
2008-04-28 10:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-28 04:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-04-27 14:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Disney Interactive Studios
2008-04-14 16:00 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:00 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 16:00 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:00 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:00 147,968 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:00 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:00 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-01-30 10:14 113 --sh--w C:\Program Files\Common Files\Desktop.ini
2004-08-08 05:02 16,734 --sh--w C:\WINDOWS\system32\agxyaloe.exe
2004-08-08 05:02 16,497 --sh--w C:\WINDOWS\system32\dazfajke.exe
2004-08-08 05:02 536,584 --sh--w C:\WINDOWS\system32\erxybloe.dll
2004-08-08 05:02 536,072 --sh--w C:\WINDOWS\system32\pqzfajke.dll
.

((((((((((((((((((((((((((((( snapshot_2008-06-26_ 8.42.03.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 17:13:38 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
+ 2008-06-26 21:22:04 27,136 ----a-w C:\WINDOWS\AppPatch\AcPlugin.dll
- 2008-06-26 05:32:13 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
+ 2008-06-27 05:27:11 9,728 ----a-w C:\WINDOWS\AppPatch\AcSpecf.dll
+ 2008-06-26 18:19:16 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-06-26 18:19:17 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-06-26 18:19:17 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-06-26 18:19:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-06-26 18:19:22 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-06-26 18:19:18 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-06-26 05:37:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 05:32:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-01-21 15:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 15:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 10:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 07:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20909876-4567-3908-4056-909834565102}]
2004-08-08 08:02 536584 ---hs---- C:\WINDOWS\system32\erxybloe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
2004-08-08 08:02 536072 ---hs---- C:\WINDOWS\system32\pqzfajke.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-28 23:02 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}"= C:\WINDOWS\system32\pqzfajke.dll [2004-08-08 08:02 536072]
"{20909876-4567-3908-4056-909834565102}"= C:\WINDOWS\system32\erxybloe.dll [2004-08-08 08:02 536584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=jkjkll.dll,ghjyer.dll,ilkyu.dll,yukevg.dll,ghkrg.dll,tuker.dll,ujkwet.dll,asfjthj.dll,hmsdvf.dll,jrhhh.dll,sdrfh.dll,vhsdfg.dll,dger.dll,losdf.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,fgthde.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthkyuk.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll, hellodon.dll,nhmxdjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"= myokent.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon]
C:\Documents and Settings\All Users\Application Data\microsoft\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 19:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-04-28 23:03 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-04-28 23:03 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-04-28 23:03 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-28 23:02 1658592 C:\PROGRA~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2008-04-28 23:02 1077327 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-28 23:02 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Yakınlaştırma Yardımcı Programı\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a--c--- 2008-04-28 23:02 1089536 C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PurgProService"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SONY_MEDIAMGR"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17582:TCP"= 17582:TCP:NortonAV
"18910:TCP"= 18910:TCP:NortonAV
"17286:TCP"= 17286:TCP:NortonAV
"12446:TCP"= 12446:TCP:NortonAV
"18062:TCP"= 18062:TCP:NortonAV
"18101:TCP"= 18101:TCP:NortonAV
"4662:TCP"= 4662:TCP:filesharing
"4672:UDP"= 4672:UDP:filesharing2
"13064:TCP"= 13064:TCP:oldnortowemule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 18:11]
R1 SMBHC;Microsoft SM Yolu Ana Denetleyici Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 23:57]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2004-12-10 19:12]
R3 SMBBATT;Microsoft Akıllı Pil Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-13 21:36]
S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys []
S3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 19:29]
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2004-08-18 18:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c153f831-6be2-11da-aef8-806d6172696f}]
\shell\play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 14:55:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 08:33:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
.
**************************************************************************
.
Completion time: 2008-06-27 8:38:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 05:38:39
ComboFix2.txt 2008-06-26 21:01:50
ComboFix3.txt 2008-06-26 17:35:02
ComboFix4.txt 2008-06-26 13:45:21
ComboFix5.txt 2008-06-26 12:14:57

19 Dizin 3,232,763,904 bayt boş
23 Dizin 3,229,306,880 bayt boŸ

273 --- E O F --- 2008-06-22 11:10:20






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:49, on 27/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: erxybloe.dll - {20909876-4567-3908-4056-909834565102} - C:\WINDOWS\system32\erxybloe.dll
O2 - BHO: pqzfajke.dll - {60A345CD-ABCD-EFAB-CDEF-ABCD01020306} - C:\WINDOWS\system32\pqzfajke.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ara?tyr - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_32.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O20 - AppInit_DLLs: jkjkll.dll,ghjyer.dll,ilkyu.dll,yukevg.dll,ghkrg.dll,tuker.dll,ujkwet.dll,asfjthj.dll,hmsdvf.dll,jrhhh.dll,sdrfh.dll,vhsdfg.dll,dger.dll,losdf.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,fgthde.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthkyuk.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll, hellodon.dll,nhmxdjkl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5917 bytes

[TheBruce1]

It feels like one step forward, three steps back, anyway we try this another way.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.


=========

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: erxybloe.dll - {20909876-4567-3908-4056-909834565102} - C:\WINDOWS\system32\erxybloe.dll
O2 - BHO: pqzfajke.dll - {60A345CD-ABCD-EFAB-CDEF-ABCD01020306} - C:\WINDOWS\system32\pqzfajke.dll
O20 - AppInit_DLLs: jkjkll.dll,ghjyer.dll,ilkyu.dll,yukevg.dll,ghkrg.dll,tuker.dll,ujkwet.dll,asfjthj.dll,hmsdvf.dll,jrhhh.dll,sdrfh.dll,vhsdfg.dll,dger.dll,losdf.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,fgthde.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthkyuk.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll, hellodon.dll,nhmxdjkl.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

Please remember to close all other windows, including browsers then click Fix checked.

=========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Rootkit::
C:\WINDOWS\system32\hellodonk.exe
C:\WINDOWS\system32\agxyaloe.exe
C:\WINDOWS\system32\dazfajke.exe
C:\WINDOWS\system32\erxybloe.dll
C:\WINDOWS\system32\pqzfajke.dll
C:\WINDOWS\AppPatch\AcPlugin.dll
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\system32\drivers\eth8023.sys
Driver::
eth8023.sys
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}"=-
"{20909876-4567-3908-4056-909834565102}"=-

Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========

Reboot back into normal mode, if Combofix does not reboot your system

==========

Download Malwarebytes ' Anti-Malware at Here or Here Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

=========

Run Deckard system Scanner once again.

=========
Logs Required
C:\Combofix.txt
MBAM Log
C:\Deckard\System Scanner\main.txt

[chelseagle]

ComboFix 08-06-20.4 - Filiz 2008-06-27 16:54:56.9 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1254.1.1055.18.102 [GMT 3:00]
Running from: C:\Documents and Settings\Filiz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Filiz\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\AppPatch\AcPlugin.dll
C:\WINDOWS\AppPatch\AcSpecf.dll
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\agxyaloe.exe
C:\WINDOWS\system32\dazfajke.exe
C:\WINDOWS\system32\drivers\cdralw.sys
C:\WINDOWS\system32\drivers\eth8023.sys
C:\WINDOWS\system32\erxybloe.dll
C:\WINDOWS\system32\fassaplo.sys
C:\WINDOWS\system32\hellodonk.exe
C:\WINDOWS\system32\lassaplo.dll
C:\WINDOWS\system32\lkssaplo.exe
C:\WINDOWS\system32\pqzfajke.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRALW
-------\Service_cdralw


((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 16:22 . 2008-06-27 16:22 28,672 --a------ C:\WINDOWS\system32\qflxs.dll
2008-06-27 16:22 . 2008-06-27 16:22 24,576 --a------ C:\WINDOWS\system32\hellodon.dll
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Program Files\Avira
2008-06-26 23:40 . 2008-06-26 23:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-26 23:13 . 2008-06-26 23:37 <DIR> d-------- C:\avira registrycleaner
2008-06-26 23:12 . 2008-02-26 11:19 1,024 --a------ C:\hbedv.key
2008-06-26 21:18 . 2008-06-26 22:10 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-25 20:01 . 2008-06-25 20:01 <DIR> d-------- C:\Documents and Settings\Filiz\DoctorWeb
2008-06-25 15:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-24 16:10 . 2008-06-24 16:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-24 15:28 . 2008-06-24 16:32 <DIR> d-------- C:\SDFix
2008-06-24 15:22 . 2008-06-24 15:22 78 --a------ C:\WINDOWS\WININIT.INI
2008-06-24 15:06 . 2008-06-24 22:22 <DIR> d-------- C:\Program Files\Soulseek
2008-06-24 10:04 . 2008-06-24 10:04 <DIR> d-------- C:\Deckard
2008-06-23 21:03 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-23 21:03 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-23 21:03 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-23 21:03 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-23 21:03 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-23 21:03 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-23 21:03 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-23 21:03 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-23 21:03 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-22 11:09 . 2007-06-20 15:48 18,224 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-06-21 18:47 . 2008-06-21 18:48 <DIR> d-------- C:\Program Files\Panda Security
2008-06-21 09:21 . 2008-06-21 09:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-06-20 12:50 . 2008-06-26 13:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 12:50 . 2008-06-20 12:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 09:30 . 2008-06-14 20:33 272,000 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-12 01:26 . 2008-05-08 17:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-09 09:44 . 2008-06-09 09:44 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-08 11:24 . 2001-07-01 17:30 112,640 --a------ C:\WINDOWS\lsb_un20.exe
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-02 21:01 . 2008-04-14 18:40 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-27 17:17 . 2008-05-27 17:17 <DIR> d-------- C:\Program Files\Defraggler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 12:50 --------- d-----r C:\Program Files\Java
2008-06-21 15:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 07:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 17:33 272,000 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 08:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 18:02 124,104 -c--a-w C:\Documents and Settings\Filiz\Application Data\GDIPFONTCACHEV1.DAT
2008-06-01 09:03 --------- d-----w C:\Program Files\PowerArchiver
2008-05-26 07:23 --------- d-----w C:\Program Files\Incomplete
2008-05-25 17:58 --------- d-----w C:\Program Files\sfArk
2008-05-24 13:41 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-22 11:04 30,946 ----a-w C:\WINDOWS\system32\drivers\Partizan.sys
2008-05-11 13:03 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Microsoft Games
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 18:52 --------- d-----r C:\Program Files\SpywareBlaster
2008-05-04 07:18 --------- d-----w C:\Program Files\WinAce
2008-04-29 13:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Registry Booster
2008-04-28 17:07 --------- d-----w C:\Program Files\Yahoo!
2008-04-28 17:03 --------- d-----w C:\Program Files\CCleaner
2008-04-28 10:36 --------- d-----w C:\Program Files\Trend Micro
2008-04-28 04:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-04-27 14:44 --------- d-----w C:\Documents and Settings\Filiz\Application Data\Disney Interactive Studios
2008-04-14 16:00 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 16:00 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 16:00 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 16:00 284,160 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 16:00 147,968 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 16:00 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 16:00 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-01-30 10:14 113 --sh--w C:\Program Files\Common Files\Desktop.ini
2004-08-08 13:21 520 --sh--w C:\WINDOWS\system32\dtzfajke.sys
2004-08-08 13:22 520 --sh--w C:\WINDOWS\system32\igxyaloe.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-26_ 8.42.03.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-26 18:19:16 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2008-06-26 18:19:17 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2008-06-26 18:19:17 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2008-06-26 18:19:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-06-26 18:19:22 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2008-06-26 18:19:18 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
- 2008-06-26 05:37:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 14:01:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-01-09 12:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2008-01-09 12:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2008-01-21 15:12:56 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-01-21 15:11:28 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-03-04 10:28:53 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 07:34:22 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20909876-4567-3908-4056-909834565102}]
C:\WINDOWS\system32\erxybloe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60A345CD-ABCD-EFAB-CDEF-ABCD01020306}]
C:\WINDOWS\system32\pqzfajke.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 19:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-04-28 23:02 282624]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 19:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"= myokent.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon]
C:\Documents and Settings\All Users\Application Data\microsoft\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 19:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-04-28 23:03 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-04-28 23:03 118784 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-04-28 23:03 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-28 23:02 1658592 C:\PROGRA~1\MESSEN~1\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a--c--- 2008-04-28 23:02 1077327 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-28 23:02 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Yakınlaştırma Yardımcı Programı\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a--c--- 2008-04-28 23:02 1089536 C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PurgProService"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SONY_MEDIAMGR"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17582:TCP"= 17582:TCP:NortonAV
"18910:TCP"= 18910:TCP:NortonAV
"17286:TCP"= 17286:TCP:NortonAV
"12446:TCP"= 12446:TCP:NortonAV
"18062:TCP"= 18062:TCP:NortonAV
"18101:TCP"= 18101:TCP:NortonAV
"4662:TCP"= 4662:TCP:filesharing
"4672:UDP"= 4672:UDP:filesharing2
"13064:TCP"= 13064:TCP:oldnortowemule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 18:11]
R1 SMBHC;Microsoft SM Yolu Ana Denetleyici Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 23:57]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2004-12-10 19:12]
R3 SMBBATT;Microsoft Akıllı Pil Sürücüsü;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-13 21:36]
S3 eth8023;eth8023;C:\WINDOWS\system32\drivers\eth8023.sys []
S3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 19:29]
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2004-08-18 18:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c153f831-6be2-11da-aef8-806d6172696f}]
\shell\play\command - "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1

.
Contents of the 'Scheduled Tasks' folder
"2007-08-11 14:55:46 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 17:01:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
.
**************************************************************************
.
Completion time: 2008-06-27 17:10:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-27 14:10:18
ComboFix2.txt 2008-06-27 05:38:49
ComboFix3.txt 2008-06-26 21:01:50
ComboFix4.txt 2008-06-26 17:35:02
ComboFix5.txt 2008-06-26 13:45:21

19 Dizin 3,477,319,680 bayt boş
23 Dizin 3,224,969,216 bayt boŸ

230 --- E O F --- 2008-06-22 11:10:20






Malwarebytes' Anti-Malware 1.18
Database version: 895

18:00:05 27/06/2008
mbam-log-6-27-2008 (18-00-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91551
Time elapsed: 39 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{45aadfaa-dd36-42ab-83ad-0521bbf58c24} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080627-165209-812.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080627-165209-892.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080627-165242-122.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080627-165243-520.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP15\A0003818.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP17\A0003938.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP19\A0004058.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP19\A0004065.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP19\A0004072.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP21\A0004084.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP21\A0004091.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP21\A0004140.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004156.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004159.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004164.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004167.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004170.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004177.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004232.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004233.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004234.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0004235.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0005195.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0005202.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0006202.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0006210.sys (Trojan.Alman) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0006221.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0006222.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C262D2C8-B360-48C1-983F-DACF369CA37B}\RP22\A0006226.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\cdralw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.







Deckard's System Scanner v20071014.68
Run by Filiz on 2008-06-27 18:04:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 239 MiB (512 MiB recommended).
System Drive C: has 3.01 GiB (less than 15%) free.


-- HijackThis (run as Filiz.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:28, on 27/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Filiz\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Filiz.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =