PDA

View Full Version : Urgent Help for the Trojan "Virtumonde".



ozgur1318
2007-06-07, 18:14
Hi my computer is infected by the trojan "Virtumonde",
and some other stuff namely: Smitfraud-C .Toolbar 888 , etc..
I hope i got rid of them with Ad Aware SE Pro ,Spybot S&D 1.4 , Kaspersky Anti Virus Personal , Windows Live Safety Center (online virus scan)
combination.It seems they successfully removed them and they dont come back after restart except the " Virtumonde".
I found some usefull information on the site http://forums.spybot.info/showthread.php?t=288.
I tried to do the insturctions but failed somehow.
-I installed Spybot S&D 1.4 already and updated all the latest definisions.
-I run an online Anti Virus Scan. (It's from the site safety.live.com. Windows Live Safety Center. It's a microsoft windows product),
1-I couldn't do a scan on eTrust Antivirus Web Scanner because of my internet explorer browser and other browsers has some problems with Active X
2-I can't reboot my computer with safe mod.because .well that is a long story.after i push F8 and choose Safe mod, some ms- dos stuff comes in.And after that it
goes to windows opening, but it asks for me to choose the user. So i choose it.I guess till here everthing seems normal.But wait i'm coming to the point.
After i choose the user and login.The only think i see is a black screen which has some writings: on the 4 corners of the screen it writes ""Windows Safe
Mod" and on the top of the screen it writes" Microsoft Windows Service Pack 2 ". etc.. So there is no desktop.i cant see it. (i gueess some of the troajans
changed secretly some of my display/ screen settings or interferes with them somehow ! for ex: all the games that i have on my computer worked properly before .but
now when i enter the games , i play it ,but the games resolution seems changed.my screen is narrowed down from both sides, right and left. even if
everything seems normal on the options menu,and those problems cant be solved from the ingame options- resolutions menu .etc..)
3- So i run Spybot a couple of times without the safe mod.but it seems to find the trojan "virtumonde" , tries to delete
it,but it can't delete one of the files.and after i restar the files came back
4-So i installed Hijackthis.zip. adn extraceted it. run Hijack.exe. Double clicked HijackThis.exe.done the insturctions written :
"Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere,"
my problem with this is icant find my log files.because i dont have any idea where it saves its log files.i checked the folder that i installed the file
hijackthis.exe and hijackThis.zip
but no.there isnt any log file.
-I couldnt be able to find the log file of my virus scan either.( i cehecked this C:\Program Files\Windows Live Safety Center ,
and find a log file called TitanLog.log but, this log file seems empty ,0 kb. i have no idea what the hell is going on :) )
-In my computer i have so many log files .But they seem like insatllation logs or other stuff i guess.
CAN U GIVE ME SOME TIPS ABOUT FINDING THE APPROPRIATE LOGS SO I CAN SEND THEM HERE?

pskelley
2007-06-08, 15:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hard to say if I can help until you follow the instructions. I hope this is WindowsXP, no tools exist for removing Vundo from Vista yet that I know of. Follow the above instructions and when it comes time to get the HJT log, do this:

Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

Thanks

ozgur1318
2007-06-10, 13:23
yes i'have windows/xp. with vista.
ok here is my hijack this log :
thanks :bigthumb:
ps:as i couldnt do the online scan from eTrust Antivirus Web Scanner because i have some problems with my IE browser.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:17:58, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {19F0761B-8EC9-406E-B155-0B70069FE344} - C:\WINDOWS\system32\vtspp.dll
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhecd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\whdagraq.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ljjhecd - C:\WINDOWS\SYSTEM32\ljjhecd.dll
O20 - Winlogon Notify: tuvurst - C:\WINDOWS\
O20 - Winlogon Notify: urqrsro - C:\WINDOWS\
O20 - Winlogon Notify: vtspp - C:\WINDOWS\system32\vtspp.dll
O20 - Winlogon Notify: xxyvspm - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 9143 bytes

pskelley
2007-06-10, 13:55
Thanks for returning your information and the feedback. You say you have both Windows XP and Vista installed? I have no idea how that will affect our removal efforts, wish us luck. You have a Vundo infection, here is some information for you benefit:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/


See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_05\ <<< very out of date, download the newest version and uninstall all old versions in Add Remove Programs. This is likely the reason you are infected.

I will provide a lot of instructions at once, I am in no way trying to rush you and I encourage you to work carefully through them instructions. Those who follow the directions have few problems removing this infection.

1) Turn off SpybotSD TeaTimer, it will block changes we must make:
http://russelltexas.com/malware/teatimer.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

3) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(save the report and log untill you finish)


4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(items may be missing, removed by Vundofix. Do not be concerned)

(I also do not know how the BHODemon will effect this removal)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {19F0761B-8EC9-406E-B155-0B70069FE344} - C:\WINDOWS\system32\vtspp.dll
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhecd.dll
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\whdagraq.dll (disabled by BHODemon) G
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon) G
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O20 - Winlogon Notify: ljjhecd - C:\WINDOWS\SYSTEM32\ljjhecd.dll
O20 - Winlogon Notify: tuvurst - C:\WINDOWS\
O20 - Winlogon Notify: urqrsro - C:\WINDOWS\
O20 - Winlogon Notify: vtspp - C:\WINDOWS\system32\vtspp.dll
O20 - Winlogon Notify: xxyvspm - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Vundofix report and a new HJT log.

Thanks

ozgur1318
2007-06-10, 17:14
i couldnt understand it well.i might done it wrong ,i'm not sure.
here is what i did. i did everything untill step3 (the vundo part)
now:
" Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. "
yes vundofix couldnt removed one of them ; * :oops: here stg strange happened: (my antivirus program nod32. one of its monitors were open and quarantined c:\Vundofix Backups\vtspp.dll.bad)"
,and vundofix wanted a reboot.i clicked ok.

-:oops:- then after reboot, i clicked, remove vundo button without clicking the scan for vundo button first!!!
here is my new hijack this log. sorry but i might did it wrong, if i did , correct me please!.. thanks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:53:08, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 8491 bytes

pskelley
2007-06-10, 18:21
You did not post the Vundofix report? It is located here: C:\vundofix.txt It appears you used the tool OK but you missed a lot of junk with HJT.

When I see an item like this:
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
It has been disabled by http://www.definitivesolutions.com/bhodemon.htm <<< this program, so I removed those items. BHODemon is a program on your computer that has to be used by someone with access to the computer.
BHODemon may be stopping HJT from removing them, turn that program off and then use HJT.


Let's have another go with HJT, the instructions are as plain as I can make them:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"


Post the Vundofix report and a new HJT log.

Thanks

ozgur1318
2007-06-10, 19:11
VundoFix V6.5.0

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 16:34:52 10.06.2007

Listing files found while scanning....

C:\windows\system32\bmrbgcoq.ini
C:\WINDOWS\system32\drutesmk.dll
C:\windows\system32\idlupwto.dll
C:\windows\system32\j2241430.dll
C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\lurnvptk.dll
C:\windows\system32\mcoinuka.exe
C:\windows\system32\otwpuldi.ini
C:\windows\system32\ppstv.bak1
C:\windows\system32\ppstv.bak2
C:\windows\system32\ppstv.ini
C:\windows\system32\ppstv.ini2
C:\windows\system32\qocgbrmb.dll
C:\windows\system32\rmhksdpv.dll
C:\WINDOWS\system32\ttyimdrc.dll
C:\windows\system32\vpdskhmr.ini
C:\WINDOWS\system32\vtspp.dll
C:\WINDOWS\system32\whdagraq.dll__BHODemonDisabled
C:\WINDOWS\system32\xktofual.dll

Beginning removal...

Attempting to delete C:\windows\system32\bmrbgcoq.ini
C:\windows\system32\bmrbgcoq.ini Has been deleted!

Attempting to delete C:\windows\system32\idlupwto.dll
C:\windows\system32\idlupwto.dll Has been deleted!

Attempting to delete C:\windows\system32\j2241430.dll
C:\windows\system32\j2241430.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\ljjhecd.dll Could not be deleted.

Attempting to delete C:\windows\system32\mcoinuka.exe
C:\windows\system32\mcoinuka.exe Has been deleted!

Attempting to delete C:\windows\system32\otwpuldi.ini
C:\windows\system32\otwpuldi.ini Has been deleted!

Attempting to delete C:\windows\system32\ppstv.bak1
C:\windows\system32\ppstv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\ppstv.bak2
C:\windows\system32\ppstv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\ppstv.ini
C:\windows\system32\ppstv.ini Has been deleted!

Attempting to delete C:\windows\system32\ppstv.ini2
C:\windows\system32\ppstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\qocgbrmb.dll
C:\windows\system32\qocgbrmb.dll Has been deleted!

Attempting to delete C:\windows\system32\rmhksdpv.dll
C:\windows\system32\rmhksdpv.dll Has been deleted!

Attempting to delete C:\windows\system32\vpdskhmr.ini
C:\windows\system32\vpdskhmr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtspp.dll
C:\WINDOWS\system32\vtspp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\ljjhecd.dll Has been deleted!

Performing Repairs to the registry.
Done!

ozgur1318
2007-06-10, 19:30
hi pskelley.
i read the link about BHOdemon.somewhat understand what it is.
but i dont know how to close it,or where it is .which program on my computer is BHOdemon? i dont remember installing a program named BHOdemon, so i guess it must be installed secretly via internet with the help of some malwares.?!??
and areu saying this program is BHOdemon??
C:\Program Files\FlashGet\jccatch.dll

thanks

ozgur1318
2007-06-10, 19:40
and ps: i didnt get through the step 4 and 5 yet as is said earlier i just did the step3 : vundofix part+ hijackthis and send u the 2logs.
just trying to do what u say. right ?
( a reminder to prevent misunderstanding! :D:)

pskelley
2007-06-10, 19:44
Who does this computer belong to? If it is yours, how can you not know what those two programs are? BHODemon no longer updates and is about obsolete and it would have been installed on the computer by someone, not as you are suggesting. Is there someone in the house who knows more about this computer than you do? I want to point out to you that these remote repairs are hard enough to do anyway, without being attempted by
someone who does not know what is installed on the computer.

Follow these directions but not until the instructions I posted earlier are completed!

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

ozgur1318
2007-06-10, 20:28
i'm the owner of this pc, so the only one who uses this pc.but :either i installed a program like that by mistake and forgot ;or it must be insalled with some help of hackers or malwares-trojans-hijackers etc. Since there is no way to enter my apartment there is no physical contact with my pc except me:D:
and as for your instuctions; i would like to thank u very much.
i'm kind of jumpy and have attention deficency today :sick: (i dont know why though).but i'm really sorry for that.i'm trying to do my best to understand the insructions right.

i'll just repeat step3 if it's also alllright for u because i think i might did it wrong by mixing the order .let me do step 3 again real fast just in case to see everything is allright.:rolleyes:
ok here's what i'm supposed to do then
: step 4 ""Do a system scan only" stuff,
step5 "Run ATF Cleaner" ,
step 6 your instructions on (disabled by BHODemon) post Today, 18:21
and step 7 your last post 18:44 ( misc tools etc. stuff)
deal???

pskelley
2007-06-10, 20:33
Thanks for that feedback, take your time and follow the directions carefully. When working on your computer is no time for rushing. Complete the instructions I posted and then post a HJT log and the uninstall list. We will go from there. When I get a look at your uninstall list, I will be better able to advise you. Let me know how the computer is running when you post also.

Thanks

ozgur1318
2007-06-10, 22:04
hi pskelley i think this time i did it right:cool::rolleyes:
here is my hjt log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:38:42, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 7261 bytes

and here is my uninstall log:
7-Zip 4.20
Ad-Aware SE Professional
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
ADSL Bilgilendiricisi (3.02)
ADSL Kota 1.1
Alarmlı Sayısal Saat Kaldır
Anti-Blaxx 1.17
Apple Software Update
ATI Display Driver
BSPlayer
Codec Pack - All In 1 5.0.6.0
Combined Community Codec Pack 2006-05-01 (Remove Only)
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Cracklock 3.8.8
Crystal Player Free 1.7
DAEMON Tools
DivX 4.12 Codec
Dungeon Lords
EAX Unified
EAX4 Unified Redist
FlashGet 1.8.2.1004
FlashGet(JetCar)
Fritz8
GameSpy Arcade
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Hamachi 0.9.9.9
Hide IP Platinum 2.2
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iolo technologies' System Mechanic Professional 6
iTunes
Java(TM) SE Development Kit 6 Update 1
Java(TM) SE Runtime Environment 6 Update 1
jv16 PowerTools 2006
Language pack for Ad-Aware SE
Macromedia Flash Player 8
Macromedia Shockwave Player
Matroska Pack - Lazy Man's MKV 0.9.9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 1.1 Turkish Language Pack
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 için Security Update (BB922770)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Reader
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (1.5.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
MySpaceIM
Nero Suite
NetLimiter 1.30 (remove only)
NOD32 antivirus system
Nokia Multimedia Player
NoteIT
Opera
Pack Vista Inspirat 1.1
Packard Bell - Skype 2.0
Packard Bell InfoCentre
Peer2Mail (remove only)
Photodex Presenter
Pro Evolution Soccer 5
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
SLD CODEC PACK 1.5
Sonic MyDVD
Sonic RecordNow!
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
The Core Media Player 4.0
USB Vibration Joystick
USB Video Device Driver
Westwood Shared Internet Components
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 Beta 3
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player (KB911564) için Güvenlik Güncelleştirmesi
Windows Media Player 10 (KB911565) için Güvenlik Güncelleştirmesi
Windows Media Player 10 (KB917734) için Güvenlik Güncelleştirmesi
Windows Media Player 11
Windows Media Player 11
Windows Media Player 6.4 (KB925398) için Güvenlik Güncelleştirmesi
Windows XP (KB923689) için Güvenlik Güncelleştirmesi
Windows XP Düzeltme - KB873339
Windows XP Düzeltme - KB885250
Windows XP Düzeltme - KB885835
Windows XP Düzeltme - KB885836
Windows XP Düzeltme - KB886185
Windows XP Düzeltme - KB887472
Windows XP Düzeltme - KB887742
Windows XP Düzeltme - KB888113
Windows XP Düzeltme - KB888302
Windows XP Düzeltme - KB890859
Windows XP Düzeltme - KB891781
Windows XP için Düzeltme (KB935448)
Windows XP için Güncelleştirme (KB894391)
Windows XP için Güncelleştirme (KB898461)
Windows XP için Güncelleştirme (KB900485)
Windows XP için Güncelleştirme (KB900930)
Windows XP için Güncelleştirme (KB910437)
Windows XP için Güncelleştirme (KB911280)
Windows XP için Güncelleştirme (KB916595)
Windows XP için Güncelleştirme (KB920872)
Windows XP için Güncelleştirme (KB922582)
Windows XP için Güncelleştirme (KB927891)
Windows XP için Güncelleştirme (KB929338)
Windows XP için Güncelleştirme (KB930916)
Windows XP için Güncelleştirme (KB931836)
Windows XP için Güvenlik Güncelleştirmesi (KB890046)
Windows XP için Güvenlik Güncelleştirmesi (KB893066)
Windows XP için Güvenlik Güncelleştirmesi (KB893756)
Windows XP için Güvenlik Güncelleştirmesi (KB896358)
Windows XP için Güvenlik Güncelleştirmesi (KB896422)
Windows XP için Güvenlik Güncelleştirmesi (KB896423)
Windows XP için Güvenlik Güncelleştirmesi (KB896424)
Windows XP için Güvenlik Güncelleştirmesi (KB896428)
Windows XP için Güvenlik Güncelleştirmesi (KB899587)
Windows XP için Güvenlik Güncelleştirmesi (KB899591)
Windows XP için Güvenlik Güncelleştirmesi (KB900725)
Windows XP için Güvenlik Güncelleştirmesi (KB901017)
Windows XP için Güvenlik Güncelleştirmesi (KB901214)
Windows XP için Güvenlik Güncelleştirmesi (KB902400)
Windows XP için Güvenlik Güncelleştirmesi (KB904706)
Windows XP için Güvenlik Güncelleştirmesi (KB905414)
Windows XP için Güvenlik Güncelleştirmesi (KB905749)
Windows XP için Güvenlik Güncelleştirmesi (KB905915)
Windows XP için Güvenlik Güncelleştirmesi (KB908519)
Windows XP için Güvenlik Güncelleştirmesi (KB908531)
Windows XP için Güvenlik Güncelleştirmesi (KB911562)
Windows XP için Güvenlik Güncelleştirmesi (KB911567)
Windows XP için Güvenlik Güncelleştirmesi (KB911927)
Windows XP için Güvenlik Güncelleştirmesi (KB912812)
Windows XP için Güvenlik Güncelleştirmesi (KB912919)
Windows XP için Güvenlik Güncelleştirmesi (KB913446)
Windows XP için Güvenlik Güncelleştirmesi (KB913580)
Windows XP için Güvenlik Güncelleştirmesi (KB914388)
Windows XP için Güvenlik Güncelleştirmesi (KB914389)
Windows XP için Güvenlik Güncelleştirmesi (KB916281)
Windows XP için Güvenlik Güncelleştirmesi (KB917159)
Windows XP için Güvenlik Güncelleştirmesi (KB917344)
Windows XP için Güvenlik Güncelleştirmesi (KB917422)
Windows XP için Güvenlik Güncelleştirmesi (KB917953)
Windows XP için Güvenlik Güncelleştirmesi (KB918118)
Windows XP için Güvenlik Güncelleştirmesi (KB918439)
Windows XP için Güvenlik Güncelleştirmesi (KB918899)
Windows XP için Güvenlik Güncelleştirmesi (KB919007)
Windows XP için Güvenlik Güncelleştirmesi (KB920213)
Windows XP için Güvenlik Güncelleştirmesi (KB920214)
Windows XP için Güvenlik Güncelleştirmesi (KB920670)
Windows XP için Güvenlik Güncelleştirmesi (KB920683)
Windows XP için Güvenlik Güncelleştirmesi (KB920685)
Windows XP için Güvenlik Güncelleştirmesi (KB921398)
Windows XP için Güvenlik Güncelleştirmesi (KB921883)
Windows XP için Güvenlik Güncelleştirmesi (KB922616)
Windows XP için Güvenlik Güncelleştirmesi (KB922819)
Windows XP için Güvenlik Güncelleştirmesi (KB923191)
Windows XP için Güvenlik Güncelleştirmesi (KB923414)
Windows XP için Güvenlik Güncelleştirmesi (KB923694)
Windows XP için Güvenlik Güncelleştirmesi (KB923980)
Windows XP için Güvenlik Güncelleştirmesi (KB924191)
Windows XP için Güvenlik Güncelleştirmesi (KB924270)
Windows XP için Güvenlik Güncelleştirmesi (KB924496)
Windows XP için Güvenlik Güncelleştirmesi (KB924667)
Windows XP için Güvenlik Güncelleştirmesi (KB925902)
Windows XP için Güvenlik Güncelleştirmesi (KB926255)
Windows XP için Güvenlik Güncelleştirmesi (KB926436)
Windows XP için Güvenlik Güncelleştirmesi (KB927779)
Windows XP için Güvenlik Güncelleştirmesi (KB927802)
Windows XP için Güvenlik Güncelleştirmesi (KB928255)
Windows XP için Güvenlik Güncelleştirmesi (KB928843)
Windows XP için Güvenlik Güncelleştirmesi (KB930178)
Windows XP için Güvenlik Güncelleştirmesi (KB931261)
Windows XP için Güvenlik Güncelleştirmesi (KB931784)
Windows XP için Güvenlik Güncelleştirmesi (KB932168)
WinRAR archiver
XnView 1.74
XviD MPEG-4 Video Codec
ZoneAlarm

thanks.
now what are we gonna do?

ozgur1318
2007-06-10, 22:21
+i think my computer runs faster and smoother then before.
-but it still has the resolution problem that i mentioned on my very first post.did u remeber.?
- i didnt checked if the safe mod problem is solved yet.

+just waiting for more of your instructions. to kick the trojans and other nasties out of my pc :)
ps: i just remembered i think i deleted a file called "winotify.dll" from ms-dos at yesterday or stg. that was before i read your posts. i was trying to delete some trojans and stupidly by accidently i erased that file. from the folder
c:\windows\system32 .
Was it an important file for windows or is was ita torjan? i fear it was a good file? do u think that will cause me alot of problems???

ozgur1318
2007-06-10, 22:30
ps2: but it's not the file wlnotify.dll !!
it's winotify.dll (if i had such a file .i'm not even sure if dos has erased it,i'm not very familiar with ms-dos prompt
from c:\wındows\system32\
i wrote del "winotify.dll "
and the pc responded

c:windows\system32\

that's it .thanks again..:bigthumb:

pskelley
2007-06-10, 22:53
Much improved:bigthumb: just a couple more items to remove with HJT but first let's look at the uninstall list. .

Uninstall list, this is what I advise.

You have programs that may be illegal, I am sure you know what they are.

I caution great care when downloading Codec, see this:
http://forums.spybot.info/showthread.php?t=7344

Mozilla Firefox (1.5.0.12) <<< out of date and unsafe, if you are going to have it on your computer you should keep it updated:
http://www.mozilla.com/en-US/

I do not see BHODemon installed on the computer?

You should have a look at the programs and get rid of stuff you no long use.
Do not touch hotfix, windows or mirosoft items.

Could you tell me what this program is for: Alarmli Sayisal Saat 2.11

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 21:38:42, on 10.06.2007


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
(old Java line)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Follow these instructions to run cleanmgr
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and tell me how the computer is running now.

Thanks

ozgur1318
2007-06-11, 00:58
+ok.i did all of the insructs.
-well i think i exaggerated my laptops performance. it just became a little smother and faster.
-the 2 display problems are still present.
i run the HJT but 2 files cant be found.!!:spider:
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
(old Java line)
here is the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:47:42, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 6882 bytes

-:oops:am i clean now? i'm kind of suspicious because after the last start up ,i opened SpybotSD1.4 +tea timer +sd helper and then checked the system start up tool inside SpybotSD: and it seems like all the trojans are in system.ini ?????:oops:
i dont think i did stg wrong; did i.there are 3 posibilites i guess:
1- either they came back from my opera browser; ?
2-or as i removed some stuff from the Spybot SD 1.4 - BHO's tool then they became active again . ?
3-or it happened because of the tea timer? ?
4-or Spybot is just kidding!?

ozgur1318
2007-06-11, 01:01
ps:by the way "sayısal saat" is turkish program.it means digital alarm clock. well it's a digital alarm clock on desktop that can beep or even shut the laptop when the alarm is set.cool eh .:D:

pskelley
2007-06-11, 01:16
1) Your HJT log is clean of malware

2) I don't use TeaTimer, give this a try to reset the TT memory:
Turn off Tea Timer (right-click its icon in the tray area near the windows close and choose exit)
and close SpyBot if open. Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat

3) Go to Start > Run, type System.ini and click Ok. The System.ini file will be displayed. Please copy and paste its contents in a reply.

4) If you have questions about Spybot, the place to find experts in Spybot issues to answer them is here:
http://forums.spybot.info/forumdisplay.php?f=4

5) Let's run a good scan looking for anything that might be hidden from HJT:
Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

Post the results of the AVG Anti-Spyware scan and the System.ini file.

Thanks

ozgur1318
2007-06-11, 01:39
sorry for botherin but the site adress that u give does not match. it just has some scripts ...
http://downloads.subratam.org/ResetTeaTimer.bat

2- shall i try to open mozilla and IE now. because before they were downloadin all the trojan stuff..

pskelley
2007-06-11, 02:01
Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat

That is all you need to do, it will happen when you click on the .bat

Thanks

ozgur1318
2007-06-11, 02:12
my problem was that opera,and mozilla doesnt support taha site.so i forced IE.and got the teatimer.bat :)

ozgur1318
2007-06-11, 02:19
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app857.FON
EGA80WOA.FON=EGA80857.FON
EGA40WOA.FON=EGA40857.FON
CGA80WOA.FON=CGA80857.FON
CGA40WOA.FON=CGA40857.FON
[ScreenTime]
Password Value=0
previousProjectorProcessID=512
[CineMac]
Password Value=0
previousProjectorProcessID=1004

pskelley
2007-06-11, 02:27
Thanks, I do not see any issues there, those appear to be valid font files:
http://www.infocellar.com/fonts/default-fonts.htm

http://www.google.com/search?hl=en&q=EGA80857.FON&btnG=Google+Search

Thanks

ozgur1318
2007-06-11, 06:50
i run AVG it find 2infected items (3traces )
Hikacker.small.mw
Adware.NewDotNet
and the related files are (icouldnt get the fuıll names though)

c:\system volume ınfo\restore\ ...\clsid \ ... stg
c:\wundofix Backups\22hrso.dll.bad
c:\windows\newdotnet3_38.dll.tobedeleted

i applied all actions but then after i click the reports tab it says "No reports avaliable" ???
and after i choose the infected tab with the button quarantine
Under the Infections tab chose Select All then Remove Finally
but there seems no quarantined objests there??

ozgur1318
2007-06-11, 07:08
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:04:34 11.06.2007

+ Scan result:



C:\WINDOWS\newdotnet3_36.dll_tobedeleted -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{07F5AE74-2BB5-4A6E-8AE7-A9A44439AC20}\RP493\A0311103.dll -> Hijacker.Small.mw : Cleaned.
C:\VundoFix Backups\j2241430.dll.bad -> Hijacker.Small.mw : Cleaned.


::Report end

pskelley
2007-06-11, 15:13
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

ozgur1318
2007-06-12, 10:17
hi pskelley ,how is it going ? :bigthumb:
i have 2 more questions for u.:present:
Q1- i did the last insturcions.(system restore stuff)
and read alot of stuff from internet :) learned a lot.thanks for the links .still reading:)
then. i also installed the internet explorer 7 (it wanted a reboot 2 times)
then i did another search from AVG antispyware

it found one of the threats again. namely: hijacker.small.mw
and also says stg like
"the threat traces to:
c:\vundofix Backups\mcoinuka.exe.bad "

Q2:now i have alot of protetion stuff. 1 firewall,1 antivirus program, couple of antispyware programs,and passive protection ..but most of them have monitors or resident or etc.(and some fo them seem like they are doing the same thing.)
so i'm afraid if they may conflict
here is the list of my total protections
1) Zone alarm ( security wall)

2) Nod32 (Antivirus program) it has some stuff that u can turn on or off
a)AMON: File system monitor
b)DMON: Microsoft office document monitor
c)EMON: Microsoft outlook email monitor
d)IMON: Internet monitor

3) Spybot S&D 1.4
a)Resident SD Helper
b)Resident Tea Timer

4) AVG Antispyware 7.5
a) Resident Shield

5) AD-AWARE SE PRO 1.06r1.

6) AD-WATCH SE PRO

7)SpywareGuard 2.2.0
a)Realtime Scannig
b)Download Protection
c)Browser Hijack Protection

8)SpywareBlaster 3.5.1

pskelley
2007-06-12, 13:32
This is left from Vundofix, delete it and any other tools you downloaded for the fix. You may keep ATF-Cleaner if you wish.
c:\vundofix Backups\mcoinuka.exe.bad " <<< delete that folder

Please review the information I posted in my last post, those questions should be answered in those links. If once you have done that, you still have question, post them.

Thanks

ozgur1318
2007-06-12, 21:41
i deleted that folder c:\Vundofix Backups .
but
what do u mean by "an other tools that u downloaded for the fix".
not my spyware programs? right ?
i guess mean just delete vundofix.exe and hijackthis_v2.exe and hijackthis backups folder. ??????

2- yes i readed all the links.and a lot more links.belive me.
it is kind of ambigious or i didnt get it well.
here is what i understand in short:
-only 1 software security wall and only 1 antivirus program to install.
-it seems the spyware programs can be multiple.

-but it doesnt say much about residents and monitors and shields .etc.
but my real question is which of those spyware programs shall i open before connecting to the net??
and which residents adn monitors will be enough and efficiently protect my pc without conflicting each other??

let me give u an example: lets say both ad-watch and teatimer are open, when a program wants to change my registery both of them respond to the same stuff and ask me "regisry change detected do u acccept or deny etc" twice.
and i'm not sure about nod32's monitors and AVG's shield; they may also do stg like that???

pskelley
2007-06-12, 22:13
Delete Vundo fix and Vundofix backups

HJT is a great program, I would not remove it, but this is totally up to you.
Here is some information:
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=faq#
You can delete the backups if you are sure you will not need them. Some other programs will scan the backups as threats, but they can not get back on your computer unless you restore them personally.

Do not run TeaTimer and SpywareGuard 2.2.0 at the same time, they do the same thing. I personally run SG and turn TeaTimer off on my computer.
http://www.malwarehelp.org/how-to-enabledisable-spybot-teatimer.html

SpywareGuard tut: http://www.bleepingcomputer.com/forums/tutorial50.html

I do not run Ad-watch (I do run Ad-Aware personal free) so you will need to consult the program or Ad-Aware Ad-watch tech support for answers:
http://www.google.com/search?hl=en&q=Ad-aware+tutorial&btnG=Search

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
I posted this before, we downloaded this program as a trial to look for hidden malware. Once you are finished with it, since it give no realtime protections after the trial is over, it should be turned completely off or uninstalled.

Thanks

ozgur1318
2007-06-12, 23:17
thanks for the info.
1)i have always googletoolbar notifier coming at my startup?
and also c:\windows\system32\ntfmon.exe
even if i uncheck them from Spybot SD's system start up tools.
can u give me link for what are they used for, or what is their purpose?

2)i have some zone alarm questions.i'm not sure if they are appropirate to ask here?

3):spider: and my display problems ( started 5-6 days ago that is after my trojan threats ,but before the time we get rid of the trojans) ; are still present!!! (i noticed them at my very first post.remember? )
i thought the display proglems were happening because of the trojans; but they are still there so, trıjans cant be the cause?! right??
DO u know where can i ask them,some forums, or some info, or u can help solving them if u want ?

thanks a lot :bigthumb:

pskelley
2007-06-13, 00:19
Let me first say that while I am good at removing malware, I do not know everything. Many of the questions you are asking would be better answered at the websites of the programs which all have extensive faq areas.

googletoolbar notifier <<< had to be installed by someone who uses the computer. Most of this information is covered in link I have already posted.

http://www.netsquirrel.com/msconfig/ <<< see this

Here is a link to the Google search engine which will answer aboput any question you ask it: http://www.google.com/
http://www.google.com/search?hl=en&q=googletoolbar+notifier&btnG=Google+Search

Zone Alarm: Right click the program in the System tray. Choose Restore ZoneAlarm Control Center.
To the right are two key areas for unstanding, ?HELP and under it is a Flash Tutorial. If you are going to run this firewall, you should know the information in those areas, your firewall is a key to your security.

You will need to provide more information about "display problems" or do as I said and use Google:
http://www.google.com/search?hl=en&q=display+problems&btnG=Search
I probably know no more about display issues that you do, all I would do would be to Google any information you provide.

Thank you

pskelley
2007-06-17, 21:59
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley