Browser hijacker, backdoor.haxdoor, etc

[Ioo]

Hello,

I've been trying to solve malware issues and succeeded in removing some of them but need help with internet explorer settings and backdoor.haxdoor.Below is my HJT log and some info on removed items:

--------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:13:49, on 10.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Suxo\suxo.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186416810968
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

-------------------------------------------------------------------------------------------------------------------------

Microworld’s e-scan log:

Wed Aug 08 23:27:57 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buddylinks.net !!!
Wed Aug 08 23:27:57 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buddylinks.net
Wed Aug 08 23:29:32 2007 => Object "buddylinks Spyware/Adware" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:33 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gator.com !!!
Wed Aug 08 23:29:33 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gator.com
Wed Aug 08 23:29:33 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:33 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com !!!
Wed Aug 08 23:29:33 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
Wed Aug 08 23:29:33 2007 => Object "medload Browser Hijacker" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:34 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web3000.com !!!
Wed Aug 08 23:29:34 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\web3000.com
Wed Aug 08 23:29:34 2007 => Object "web3000 Spyware/Adware" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:34 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winhound.com !!!
Wed Aug 08 23:29:34 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\winhound.com
Wed Aug 08 23:29:34 2007 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:34 2007 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Wed Aug 08 23:29:34 2007 => Deleting Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com
Wed Aug 08 23:29:34 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.

Wed Aug 08 23:29:34 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com !!!
Wed Aug 08 23:29:34 2007 => Deleting Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\p3p\history\gator.com
Wed Aug 08 23:29:34 2007 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: Entries Removed.

------------------------------------------------------------------------------------------------------------------------

kaspersky internet security 7 log:

detected: virus Heur.Trojan.Generic (modification) File: C:\System Volume Information\_restore{21582CFF-E91B-4F54-83B7-B1DE856A59DC}\RP1\A0000193.exe//PE_Patch.UPX
detected: virus Heur.Trojan.Generic (modification) File: C:\System Volume Information\_restore{21582CFF-E91B-4F54-83B7-B1DE856A59DC}\RP1\A0000225.exe//file0152//PE_Patch.UPX
detected: virus Heur.Trojan.Generic (modification) File: C:\System Volume Information\_restore{21582CFF-E91B-4F54-83B7-B1DE856A59DC}\RP1\A0000289.exe//file0152//PE_Patch.UPX

After removing all these threats in safe mode, I've disabled system restore.However, next was the problem with the suspicious services: “sr.sys”& “cmbatt.sys”. sr.sys was associated with IoLogMsg.dll in the registry.
--------------------------------------------------------------------------------------------------------------------------

Trojan Remover’s findings:

Key=sr
ImagePath=\SystemRoot\\SystemRoot\system32\DRIVERS\sr.sys - appears to contain BACKDOOR.HAXDOOR (HEURISTIC DETECTION)
ImagePath=\SystemRoot\\SystemRoot\system32\DRIVERS\sr.sys - this reference has been removed
C:\WINDOWS\\SystemRoot\system32\DRIVERS\sr.sys - unable to take ownsership/change permissions
C:\WINDOWS\\SystemRoot\system32\DRIVERS\sr.sys has been marked for renaming when the PC is restarted (if it exists)

***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
09.08.2007 12:33:17: Trojan Remover has been restarted
Unable to rename C:\WINDOWS\\SystemRoot\system32\DRIVERS\sr.sys to C:\WINDOWS\\SystemRoot\system32\DRIVERS\sr.sys.ren
(C:\WINDOWS\\SystemRoot\system32\DRIVERS\sr.sys does not appear to exist)
09.08.2007 12:33:17: Trojan Remover closed

Trojan remover failed to disinfect.Sr.sys actually existed in the system32\drivers and system32\dllcache folders (as cmbatt.sys did also).

--------------------------------------------------------------------------------------------------------------------------

HAXFIX logfile - by Marckie

version 4.49
09.08.2007 13:55:04,93

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
CmBatt

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1066 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 13:55:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOr der\Start Menu\Programs\Donat\x131lar\0\1l]
"Order"=hex:08,00,00,00,02,00,00,00,54,04,00,00,01,00,00,00,06,00,00,00,b0, ..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden files: 0


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!


----------------------------------------------------------------------------------------------------------------------------

Any help will be gratefully appreciated.Thanx in advance.

----------------------------------------------------------------------------------------------------------------------------

[sUBs]

Sounds like a false positive. C:\Windows\system32\drivers\sr.sys is a legitimate Microsoft file relating to System Restore.

You can read up about sr.sys here >http://www.file.net/process/sr.sys.html

If in doubt, google for sr.sys.


----------





Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

Under SCANNING OPTIONS, use the following Settings:

• Action options - Report only
• Second option - Report only

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply

[Ioo]

thank you very much for your quick reply.

I cannot perform the bitdefender online scan.Tried several times but when it updates the virus database and starts scanning my computer, suddenly the internet explorer window shuts down and kaspersky gives the following allert:

Process C:\system32\drwtsn32.exe tried to access Kaspersky Internet Security, but the action has been blocked by the self-defense component.No action on your part is required.

Further, the same alert comes frequently for iexplore.exe, even when the pc is idle.

I have scanned iexplore.exe and drwtsn32.exe on virusjotti.Nothing found.Don't know what to do now :(.

[Ioo]

Hi again,

Although I followed the instructions given in the bitdefender online scanner faq's, I could not manage to start a scan.I scanned with panda online scanner.The outcome was that no malicious objects existed in my system.I also tried trendmicro's housecall, it found adware-bestoffers and vulnerabilities in the internet explorer.But, I could not get the report as my browser crashed several times.I regularly check microsoft updates, but the official site doesn't recognize any emergent updates for my system.Finally I reinstalled manually the so-called cumulative update for internet explorer 7.

I'm much concerned about the hidden registry entry that hax-fix revealed.What should be done for it?Finally, which online scanner should I try next?

[sUBs]

Quote:

I'm much concerned about the hidden registry entry that hax-fix revealed.What should be done for it?

That's a false positive. Don't worry about that.

Quote:

I cannot perform the bitdefender online scan.Tried several times but when it updates the virus database and starts scanning my computer, suddenly the internet explorer window shuts down and kaspersky gives the following allert:

When performing any online scans, you first need to disable your resident scanner's real time monitors i.e. Kaspersky. If it's not disabled, both scanners will be fighting amongst themselves & will produce inaccurate results.

[Ioo]

I have tried again disabling kaspersky, even completely exiting it didn't work: the same sudden shut down of my browser as soon as it starts scanning.In fact I had already tried this before posting here.Maybe it's an issue with the site because I was able to use it some time ago.


Would you suggest any other online scanner?

thnx again for your time.

[sUBs]

Life's full of mysteries. Let's see if this one works:

F-Secure Online Scanner - http://support.f-secure.com/enu/home/ols.shtml
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

• Then click the F-Secure Online Scanner Next Generation Beta link.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

[Ioo]

I have just realized that I've wrongfully posted a HJT log instead of DSS's.Sorry for my misconception..Here it is with a delay:



Deckard's System Scanner v20070809.63
Run by Serap on 2007-08-11 at 05:17:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Serap.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 05:19:03, on 11.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Serap\Desktop\dss.exe
C:\PROGRA~1\Suxo\Serap.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang en /H
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186416810968
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...95/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.6.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta HotKey Keyboard Filter Driver>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys <Not Verified; Quanta Computer, Inc.; Quanta Mouse Filter Device Driver>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 OwnershipProtocol - c:\program files\intel\wireless\bin\oprotsvc.exe <Not Verified; Intel Corporation; Intel PROSet/Wireless>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

S2 MWAgent -
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-07-11 and 2007-08-11 -----------------------------

2007-08-11 05:04:52 0 d-------- C:\WINDOWS\McAfee.com
2007-08-11 05:04:49 0 d-------- C:\WINDOWS\LastGood
2007-08-11 01:45:37 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-11 01:45:12 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-08-11 01:45:12 0 d-------- C:\Documents and Settings\serap\Application Data\SUPERAntiSpyware.com
2007-08-10 20:52:22 0 d-------- C:\Documents and Settings\serap\Application Data\HouseCall 6.6
2007-08-10 20:44:25 0 d-------- C:\WINDOWS\BDOSCAN8
2007-08-10 17:30:27 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-10 11:24:43 0 d-------- C:\WINDOWS\Prefetch
2007-08-09 13:54:58 90112 --a------ C:\WINDOWS\system32\RegDACL.exe <Not Verified; Frank Heyne Software; RegTools>
2007-08-09 08:46:05 82258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-09 08:46:05 82258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-09 08:45:17 0 d-------- C:\Program Files\Kaspersky Lab
2007-08-09 08:45:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-08-09 08:45:15 149792 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-09 08:45:15 3112736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-08 22:29:49 111904 --a------ C:\WINDOWS\winsbak2.reg
2007-08-08 22:29:49 15676 --a------ C:\WINDOWS\winsbak.reg
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\LocalService\Templates
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\LocalService\Sık Kullanılanlar
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-08-08 22:29:46 0 d-------- C:\Documents and Settings\LocalService\Belgeler
2007-08-08 22:29:16 126976 --a------ C:\WINDOWS\system32\mwnsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2007-08-08 22:29:16 1044480 --a------ C:\WINDOWS\system32\contfilt.dll <Not Verified; MicroWorld Technologies Inc.; contfilt>
2007-08-08 22:29:15 7680 --a------ C:\WINDOWS\sporder.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2007-08-08 22:29:15 9488 --a------ C:\WINDOWS\sporder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(R) Operating System>
2007-08-08 22:29:14 130560 --a------ C:\WINDOWS\system32\ZIPDLL.DLL <Not Verified; ; BCB/Delphi Zip>
2007-08-08 22:29:14 125440 --a------ C:\WINDOWS\system32\UNZDLL.DLL <Not Verified; ; BCB/Delphi UnZip>
2007-08-08 22:29:14 356352 --a------ C:\WINDOWS\system32\mwtsp.dll <Not Verified; MicroWorld Technologies Inc.; MicroWorld Internet Traffic Scanner>
2007-08-08 17:51:34 925184 --a------ C:\Program Files\Grabber.exe <Not Verified; CMS; >
2007-08-07 19:33:39 0 d-------- C:\Program Files\KCeasy
2007-08-06 19:47:34 0 d-------- C:\Program Files\Classic Menu for Office
2007-08-06 17:48:18 0 d-------- C:\Program Files\Microsoft Works
2007-08-06 17:45:29 0 d-------- C:\Program Files\Microsoft.NET
2007-08-06 17:40:30 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-06 17:35:47 0 d-------- C:\WINDOWS\SHELLNEW
2007-08-06 17:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-08-06 17:33:25 0 d-------- C:\MSOCache
2007-08-05 19:59:50 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-08-05 19:59:47 0 d-------- C:\Program Files\SpywareBlaster
2007-08-05 19:46:56 536811 --a------ C:\Program Files\ie-spyad.exe
2007-08-05 18:39:52 0 d-------- C:\Program Files\Google
2007-08-05 17:28:30 0 d-------- C:\Documents and Settings\serap\Application Data\CyberLink
2007-08-05 15:51:45 66048 --a------ C:\Program Files\BFU.exe <Not Verified; Soeperman Enterprises Ltd.; BFU>
2007-08-05 14:58:40 0 d-------- C:\WINDOWS\ERUNT
2007-08-04 21:51:11 0 d-------- C:\Program Files\MSBuild
2007-08-04 21:47:03 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-08-04 21:45:50 0 d-------- C:\Program Files\Reference Assemblies
2007-08-04 08:36:30 0 d-------- C:\WINDOWS\system32\tr-tr
2007-08-04 08:31:18 0 d-------- C:\WINDOWS\network diagnostic
2007-08-04 07:40:44 0 d-------- C:\Program Files\Java
2007-08-04 07:40:41 0 d-------- C:\Program Files\Common Files\Java
2007-08-04 04:53:37 0 d-------- C:\WINDOWS\Sun
2007-08-04 04:35:49 0 d-------- C:\WINDOWS\pss
2007-08-04 03:30:00 0 d-------- C:\Documents and Settings\serap\Application Data\Sun
2007-08-04 02:57:09 0 d-------- C:\Documents and Settings\serap\Contacts
2007-08-04 00:20:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-08-03 23:56:46 0 d-------- C:\Program Files\Lavasoft
2007-08-03 23:56:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-03 23:56:05 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-03 23:49:54 50688 --a------ C:\Program Files\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2007-08-03 23:41:19 0 d-------- C:\Program Files\Winamp
2007-08-03 23:34:30 0 d-------- C:\Documents and Settings\serap\Application Data\Ahead
2007-08-03 23:33:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-03 23:30:31 0 d-------- C:\Program Files\Nero
2007-08-03 23:30:31 0 d-------- C:\Program Files\Common Files\Ahead
2007-08-03 23:30:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-03 23:18:29 0 d-------- C:\Documents and Settings\serap\Application Data\AdobeUM
2007-08-03 23:17:53 0 d-------- C:\Documents and Settings\serap\Application Data\Adobe
2007-08-03 23:17:23 0 d-------- C:\WINDOWS\Downloaded Installations
2007-08-03 23:00:38 0 d-------- C:\Program Files\Microsoft DirectX SDK (June 2007)
2007-08-03 22:55:13 0 d-------- C:\WINDOWS\system32\URTTemp
2007-08-03 22:08:00 0 d-------- C:\Program Files\Suxo
2007-08-03 21:57:33 0 d-------- C:\WINDOWS\Dictionary
2007-08-03 21:57:32 0 d-------- C:\Program Files\English Fast
2007-08-03 21:55:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-08-03 21:55:48 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-03 21:28:15 0 d-------- C:\Program Files\XP Lite
2007-08-03 21:22:31 0 d-------- C:\Program Files\Godlike Developers
2007-08-03 21:22:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-03 21:21:15 1356288 --a------ C:\Program Files\pqremove.com
2007-08-03 21:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-03 21:12:47 0 d-------- C:\Program Files\CyberLink
2007-08-03 2117 0 d-------- C:\Program Files\Windows Live
2007-08-03 2110 0 d-------- C:\Program Files\Messenger Plus! Live
2007-08-03 20:50:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Templates
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Start Menu
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\SendTo
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Recent
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\PrintHood
2007-08-03 20:49:59 487424 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\NetHood
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Cookies
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Belgelerim
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Application Data
2007-08-03 20:49:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-03 18:20:39 0 d-------- C:\Program Files\MoonStar
2007-08-03 18:18:34 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-08-03 18:17:25 0 d-------- C:\Program Files\MSN Messenger
2007-08-03 17:49:41 0 d-------- C:\Documents and Settings\serap\Application Data\Macromedia
2007-08-03 17:07:08 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-03 17:03:10 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-03 17:03:10 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-03 16:57:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-08-03 16:47:12 0 d--hs---- C:\Documents and Settings\serap\UserData
2007-08-03 16:24:18 0 d-------- C:\WINDOWS\system32\PreInstall
2007-08-03 16:18:14 0 d-------- C:\Documents and Settings\serap\Application Data\Google
2007-08-03 16:17:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-08-03 15:58:23 0 d-------- C:\WINDOWS\$hf_mig$
2007-08-03 15:32:11 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-03 02:23:27 0 d--hs---- C:\WINDOWS\Installer
2007-08-03 02:23:26 0 d-------- C:\Program Files\Common Files\ODBC
2007-08-03 02:23:21 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-08-03 02:23:20 0 dr------- C:\Program Files
2007-08-03 02:23:20 0 d-------- C:\Program Files\Common Files
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Templates
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Start Menu
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Sık Kullanılanlar
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\SendTo
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Recent
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\PrintHood
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\NetHood
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Local Settings
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Desktop
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Cookies
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\Default User\Belgelerim
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\All Users\Templates
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\All Users\Start Menu
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\All Users\Sık Kullanılanlar
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\All Users\Desktop
2007-08-03 02:22:46 0 d-------- C:\Documents and Settings\All Users\Belgeler
2007-08-03 02:22:28 0 d-------- C:\WINDOWS\system32\CatRoot2
2007-08-03 02:22:28 0 d-------- C:\WINDOWS\system32\CatRoot
2007-08-03 02:22:23 0 d-------- C:\Documents and Settings\Default User\Application Data
2007-08-03 02:22:23 0 d-------- C:\Documents and Settings\Default User\Application Data\Microsoft
2007-08-03 02:22:22 0 d-------- C:\Documents and Settings\All Users\Application Data
2007-08-03 02:22:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2007-08-03 02:21:38 0 d-------- C:\Documents and Settings
2007-08-03 02:16:31 0 d--hs---- C:\System Volume Information
2007-08-03 02:14:01 0 d-------- C:\WINDOWS
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\WinSxS
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Web
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\twain_32
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\wins
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\wbem
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\usmt
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\spool
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\ShellExt
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\Setup
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\ras
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\oobe
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\npp
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\mui
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\inetsrv
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\IME
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\icsxml
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\ias
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\export
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\drivers
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\drivers\etc
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-08-03 02:14:01 0 d------c- C:\WINDOWS\system32\dllcache
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\dhcp
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\config
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\3com_dmi
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\3076
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\2052
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1055
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1054
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1042
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1041
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1037
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1033
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1031
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1028
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system32\1025
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\system
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\security
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Resources
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\repair
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Provisioning
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\PeerNet
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\pchealth
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\msapps
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\msagent
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Media
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\java
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\inf
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\ime
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Help
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Fonts
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Driver Cache
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Debug
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\Cursors
2007-08-03 02:14:01 0 d-------- C:\WINDOWS\AppPatch
2007-08-03 00:51:20 0 d-------- C:\Temp
2007-08-03 00:46:44 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-03 00:44:25 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-08-03 00:44:25 75264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-08-03 00:44:23 0 d-------- C:\Program Files\Trojan Remover
2007-08-03 00:44:23 0 d-------- C:\Documents and Settings\serap\Application Data\Simply Super Software
2007-08-03 00:44:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-08-03 00:34:42 0 d-------- C:\Documents and Settings\serap\Application Data\WinRAR
2007-08-03 00:12:10 63488 -ra------ C:\WINDOWS\system32\drivers\wssbtr1f.sys <Not Verified; National Semiconductor Sweden AB; National Semiconductor Sweden AB BlueCard PCMCIA driver>
2007-08-03 00:12:10 48556 -ra------ C:\WINDOWS\system32\drivers\SktBt2k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2007-08-03 00:12:10 77824 -ra------ C:\WINDOWS\system32\drivers\SioUi2k.dll <Not Verified; Socket Communications Inc.; 16C950>
2007-08-03 00:12:10 48076 -ra------ C:\WINDOWS\system32\drivers\Sio9502k.sys <Not Verified; Socket Communications, Inc.; SIO9502K>
2007-08-03 00:12:10 40960 -ra------ C:\WINDOWS\system32\drivers\SCTray.exe <Not Verified; Socket Communications Inc.; SCTray>
2007-08-03 00:12:10 51169 -ra------ C:\WINDOWS\system32\drivers\OXSER.SYS <Not Verified; OEM; OX16C95x>
2007-08-03 00:12:05 13304 --a------ C:\WINDOWS\system32\drivers\BTNetFilter.sys
2007-08-03 00:12:04 11736 --a------ C:\WINDOWS\system32\drivers\VHIDMini.sys <Not Verified; IVT Corporation; IVT BlueSoleil>
2007-08-03 00:12:04 82148 --a------ C:\WINDOWS\system32\drivers\VcommMgr.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-08-03 00:12:04 61312 --a------ C:\WINDOWS\system32\drivers\VComm.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-08-03 00:12:04 11860 --a------ C:\WINDOWS\system32\drivers\vbtenum.sys
2007-08-03 00:12:04 116021 --a------ C:\WINDOWS\system32\drivers\fw203x.sys <Not Verified; Broadcom; >
2007-08-03 00:12:04 10804 --a------ C:\WINDOWS\system32\drivers\BtNetDrv.sys <Not Verified; IVT Corporation; BlueSoleil>
2007-08-03 00:12:04 28271 --a------ C:\WINDOWS\system32\drivers\BTHidMgr.sys <Not Verified; IVT Corporation; BlueSoleil(c)>
2007-08-03 00:12:04 23000 --a------ C:\WINDOWS\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
2007-08-03 00:12:04 20096 --a------ C:\WINDOWS\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows (R) 2000 DDK driver>
2007-08-03 00:12:04 7680 --a------ C:\WINDOWS\system32\btinstall.dll <Not Verified; IVT Corporation; BlueSoleil>
2007-08-03 00:12:04 49152 --a------ C:\WINDOWS\system32\btfunc.dll <Not Verified; IVT Corporation; BlueSoleil>
2007-08-02 23:58:58 0 d-------- C:\Documents and Settings\serap\Application Data\Intel
2007-08-02 23:58:36 17119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.6.0>
2007-08-02 23:58:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2007-08-02 23:57:28 1654784 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2007-08-02 23:54:56 0 d-------- C:\Program Files\Synaptics
2007-08-02 23:54:26 0 d-------- C:\WINDOWS\Motorola
2007-08-02 23:54:02 0 d-------- C:\Program Files\Keyboard Manager
2007-08-02 23:53:19 0 d-------- C:\Program Files\Intel
2007-08-02 23:52:25 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-02 23:51:40 0 d-------- C:\WINDOWS\tiinst
2007-08-02 23:50:24 0 d-------- C:\WINDOWS\system32\Lang
2007-08-02 23:46:23 294912 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-08-02 23:46:18 0 d-------- C:\WINDOWS\system32\RTCOM
2007-08-02 23:46:18 40960 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-08-02 23:45:58 0 d-------- C:\Program Files\Realtek
2007-08-02 23:45:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 23:45:51 487424 -r------- C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2007-08-02 23:45:46 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-02 23:41:26 0 d-------- C:\Documents and Settings\serap\Application Data\Identities
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\SendTo
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\Recent
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\PrintHood
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\NetHood
2007-08-02 23:41:17 0 d--h----- C:\Documents and Settings\serap\Local Settings
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\Desktop
2007-08-02 23:41:17 0 d--hs---- C:\Documents and Settings\serap\Cookies
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\Belgelerim
2007-08-02 23:41:17 0 d-------- C:\Documents and Settings\serap\Application Data
2007-08-02 23:41:16 0 d-------- C:\Documents and Settings\serap\Templates
2007-08-02 23:41:16 0 d-------- C:\Documents and Settings\serap\Start Menu
2007-08-02 23:41:16 0 d-------- C:\Documents and Settings\serap\Sık Kullanılanlar
2007-08-02 23:41:16 7602176 --a------ C:\Documents and Settings\serap\NTUSER.DAT
2007-08-02 23:39:59 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-08-02 23:39:54 0 d-------- C:\WINDOWS\system32\Microsoft
2007-08-02 23:39:52 1310720 --a------ C:\Documents and Settings\LocalService\NTUSER.DAT
2007-08-02 23:39:52 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2007-08-02 23:39:52 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2007-08-02 23:39:52 0 d-------- C:\Documents and Settings\LocalService\Application Data
2007-08-02 23:39:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Microsoft
2007-08-02 23:39:35 1310720 --a------ C:\Documents and Settings\NetworkService\NTUSER.DAT
2007-08-02 23:39:35 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2007-08-02 23:39:35 0 d-------- C:\Documents and Settings\NetworkService\Cookies
2007-08-02 23:39:35 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2007-08-02 23:39:35 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2007-08-02 23:35:46 0 d-------- C:\WINDOWS\system32\xircom
2007-08-02 23:35:46 0 d-------- C:\Program Files\microsoft frontpage
2007-08-02 23:35:42 229376 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2007-08-02 23:35:32 0 -rahs---- C:\MSDOS.SYS
2007-08-02 23:35:32 0 -rahs---- C:\IO.SYS
2007-08-02 23:35:32 0 --a------ C:\CONFIG.SYS
2007-08-02 23:35:32 0 -----n--- C:\AUTOEXEC.BAT
2007-08-02 23:34:19 0 d-------- C:\Documents and Settings\All Users\DRM
2007-08-02 23:34:06 0 d-------- C:\WINDOWS\Offline Web Pages
2007-08-02 23:34:06 0 d-------- C:\WINDOWS\Downloaded Program Files
2007-08-02 23:33:45 0 d-------- C:\Program Files\Online Services
2007-08-02 23:33:26 0 d-------- C:\WINDOWS\system32\DirectX
2007-08-02 23:32:53 0 d-------- C:\WINDOWS\Tasks
2007-08-02 23:32:52 0 d-------- C:\Program Files\Common Files\MSSoap
2007-08-02 23:32:47 0 d-------- C:\WINDOWS\srchasst
2007-08-02 23:32:46 0 d-------- C:\WINDOWS\system32\Macromed
2007-08-02 23:32:37 0 d-------- C:\Program Files\Movie Maker
2007-08-02 23:32:28 0 d-------- C:\WINDOWS\system32\Restore
2007-08-02 23:32:06 21736 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-02 23:31:43 0 d-------- C:\WINDOWS\Registration
2007-08-02 23:31:00 0 d-------- C:\Program Files\Messenger
2007-08-02 23:30:56 0 d-------- C:\Program Files\MSN Gaming Zone
2007-08-02 23:30:22 0 d-------- C:\Program Files\Windows NT
2007-08-02 23:30:18 0 d-------- C:\WINDOWS\system32\MsDtc
2007-08-02 23:30:15 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2007-08-10 14:55:09 668 --a------ C:\Program Files\grabber.ini
2007-08-06 20:12:15 415112 --a------ C:\WINDOWS\system32\perfh01F.dat
2007-08-06 20:12:15 75488 --a------ C:\WINDOWS\system32\perfc01F.dat
2007-08-03 02:22:46 62 --ahs---- C:\Documents and Settings\Serap\Application Data\desktop.ini
2007-08-02 12:54:56 42663246 --a------ C:\Program Files\avgmalware.rar


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07.01.2005 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [12.07.2005 05:55 C:\WINDOWS\RTHDCPL.EXE]
"Keyboard Manager Utility"="C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [12.07.2005 05:55]
"SMSERIAL"="sm56hlpr.exe" [12.07.2005 05:55 C:\WINDOWS\sm56hlpr.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [12.07.2005 05:55]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12.07.2005 05:55]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [15.10.2004 11:27]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [15.10.2004 11:31]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [14.03.2007 21:01]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [07.02.2007 16:21]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01.03.2007 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.05.2007 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12.07.2007 04:00]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27.10.2006 00:47]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [15.06.2007 17:00]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [28.06.2007 12:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 15:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19.01.2007 12:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [27.06.2007 19:03]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09.08.2007 23:01]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCpl"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"NoDispCpl"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"=0 (0x0)
"NoLowDiskSpaceChecks"=0 (0x0)
"StartmenuLogoff"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoPrinters"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoChangeStartMenu"=0

[sUBs]

C:\PROGRA~1\Suxo\Serap.exe

I keep seeing this in your log. Any ideas what it relates to?

[Ioo]

C:\Program Files\suxo.exe was my hijackthis.exe renamed.
But when you mentioned Serap.exe, I've explored that in the specified folderare 2 renamed hijack exe files: one of them suxo,the other serap.I'm sure I have not created Serap.exe.Maybe you'll think I'm paranoid, but I suspect being hacked.This has happened to me several times before.

I share my network with my sister and last week some files came from her computer to mine.We don't understand how these strange things happen.I have no infromation about security issues of a local network.

Sorry to state that f-secure doesn't work either.First tried in the afternoon when bitdefender was of no use and twice now. A warning comes saying that downloads could not be made.

[sUBs]

Is serap your username? If so, then DSS created it

[Ioo]

Yes :::D

I've examined the properties of them.serap was just half an hour ago created .

:)

[sUBs]

Quote:

Sorry to state that f-secure doesn't work either.First tried in the afternoon when bitdefender was of no use and twice now. A warning comes saying that downloads could not be made.

It's Kaspersky Internet Security that's blocking it. Is Kaspersky up to date? If so, reboot to safe mode & do a full system scan.

Kaspersky's a great scanner but I don't use it. I know it's possible for you to generate a log of the scan. Please try to show me the log.

[Ioo]

eventually managed f-secure


Saturday, August 11, 2007 06:15:16 - 06:57:46
Computer name: BLISS
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 27359
System: 4097
Not scanned: 3
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{921AAB66-5A31-4683-A4E0-330E0F496971}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-08-10
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Libra: 2.4.2, 2007-08-10
F-Secure Orion: 1.2.37, 2007-08-10
F-Secure Pegasus: 1.19.0, 2007-07-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

[sUBs]

Like I suspected, you're clean.

Now to verify Trojan Remover’s claims.

Please open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr /s >"%tmp%\log.txt"
start notepad "%tmp%\log.txt"

Save this as query.bat Choose to "Save type as - All Files"
It should look like this:
Double click on query.bat & allow it to run

Post back to tell me what it says

[Ioo]

the output of query.bat :



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
Type REG_DWORD 0x2
Start REG_DWORD 0x0
ErrorControl REG_DWORD 0x1
Tag REG_DWORD 0x4
DisplayName REG_SZ Sistem Geri Yükleme Süzeç Sürücüsü
Group REG_SZ FSFilter System Recovery

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters
FirstRun REG_DWORD 0x0
DontBackup REG_DWORD 0x0
MachineGuid REG_SZ {21582CFF-E91B-4F54-83B7-B1DE856A59DC}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security
Security REG_BINARY 01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum
0 REG_SZ Root\LEGACY_SR\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

[sUBs]

Your Registry entry for the legitimate Windows service got wiped out by Trojan Remover. Let's attempt to repair it.

Open NOTEPAD.exe and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,73,72,2e,\
73,79,73,00

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry


---------------


Then verify/check if this folder exist - C:\WINDOWS\SystemRoot

Also check if this file still exist - C:\Windows\system32\DRIVERS\sr.sys


--------------


Test if System Restore still works.
Go to Start > Run - type C:\Windows\system32\restore\rstrui.exe

[Ioo]

Checks done:

C:\WINDOWS\SystemRoot: does not exist -In fact, I've never seen such a folder there before.


C:\Windows\system32\DRIVERS\sr.sys: exists


System Restore: I've been unable to restore my system for a long time. It became corrupt even before the Trojan Remover's allert about sr.sys.Today, I've tried to restore to a some point int the past first, then to a new point I've just created. Both attempts were unsuccessful.

[sUBs]

Describe to me what happens when you attempt to do this. Please be detalied

Go to Start → Run → type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

[Ioo]

First when turning of system restore, the usual allert comes: You've chosen to disable system restore.If you continue, all restore points will be deleted.Are you sure?

I clicked on yes.

Then the screen freezes for a while.A proactive defense alert comes from Kaspersky as usual.I give permission for sr.sys to access registry, and put a tick on the checkbox of Kaspersky alert window not to restrict the application's activity.Then, the screen returns to normal.

When turning it on back, nothing freezes or stalls.The tick on the checkbox simply goes away.