Urgent Help for the Trojan "Virtumonde".

Status
Not open for further replies.
O

ozgur1318

New member
Hi my computer is infected by the trojan "Virtumonde",
and some other stuff namely: Smitfraud-C .Toolbar 888 , etc..
I hope i got rid of them with Ad Aware SE Pro ,Spybot S&D 1.4 , Kaspersky Anti Virus Personal , Windows Live Safety Center (online virus scan)
combination.It seems they successfully removed them and they dont come back after restart except the " Virtumonde".
I found some usefull information on the site http://forums.spybot.info/showthread.php?t=288.
I tried to do the insturctions but failed somehow.
-I installed Spybot S&D 1.4 already and updated all the latest definisions.
-I run an online Anti Virus Scan. (It's from the site safety.live.com. Windows Live Safety Center. It's a microsoft windows product),
1-I couldn't do a scan on eTrust Antivirus Web Scanner because of my internet explorer browser and other browsers has some problems with Active X
2-I can't reboot my computer with safe mod.because .well that is a long story.after i push F8 and choose Safe mod, some ms- dos stuff comes in.And after that it
goes to windows opening, but it asks for me to choose the user. So i choose it.I guess till here everthing seems normal.But wait i'm coming to the point.
After i choose the user and login.The only think i see is a black screen which has some writings: on the 4 corners of the screen it writes ""Windows Safe
Mod" and on the top of the screen it writes" Microsoft Windows Service Pack 2 ". etc.. So there is no desktop.i cant see it. (i gueess some of the troajans
changed secretly some of my display/ screen settings or interferes with them somehow ! for ex: all the games that i have on my computer worked properly before .but
now when i enter the games , i play it ,but the games resolution seems changed.my screen is narrowed down from both sides, right and left. even if
everything seems normal on the options menu,and those problems cant be solved from the ingame options- resolutions menu .etc..)
3- So i run Spybot a couple of times without the safe mod.but it seems to find the trojan "virtumonde" , tries to delete
it,but it can't delete one of the files.and after i restar the files came back
4-So i installed Hijackthis.zip. adn extraceted it. run Hijack.exe. Double clicked HijackThis.exe.done the insturctions written :
"Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere,"
my problem with this is icant find my log files.because i dont have any idea where it saves its log files.i checked the folder that i installed the file
hijackthis.exe and hijackThis.zip
but no.there isnt any log file.
-I couldnt be able to find the log file of my virus scan either.( i cehecked this C:\Program Files\Windows Live Safety Center ,
and find a log file called TitanLog.log but, this log file seems empty ,0 kb. i have no idea what the hell is going on :) )
-In my computer i have so many log files .But they seem like insatllation logs or other stuff i guess.
CAN U GIVE ME SOME TIPS ABOUT FINDING THE APPROPRIATE LOGS SO I CAN SEND THEM HERE?
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hard to say if I can help until you follow the instructions. I hope this is WindowsXP, no tools exist for removing Vundo from Vista yet that I know of. Follow the above instructions and when it comes time to get the HJT log, do this:

Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

Thanks
 
Here is my Hijack this log.

yes i'have windows/xp. with vista.
ok here is my hijack this log :
thanks :bigthumb:
ps:as i couldnt do the online scan from eTrust Antivirus Web Scanner because i have some problems with my IE browser.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:17:58, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {19F0761B-8EC9-406E-B155-0B70069FE344} - C:\WINDOWS\system32\vtspp.dll
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhecd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\whdagraq.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ljjhecd - C:\WINDOWS\SYSTEM32\ljjhecd.dll
O20 - Winlogon Notify: tuvurst - C:\WINDOWS\
O20 - Winlogon Notify: urqrsro - C:\WINDOWS\
O20 - Winlogon Notify: vtspp - C:\WINDOWS\system32\vtspp.dll
O20 - Winlogon Notify: xxyvspm - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 9143 bytes
 
Thanks for returning your information and the feedback. You say you have both Windows XP and Vista installed? I have no idea how that will affect our removal efforts, wish us luck. You have a Vundo infection, here is some information for you benefit:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter.../getting_the_fix_on_winfixer_aol_network_now/


See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_05\ <<< very out of date, download the newest version and uninstall all old versions in Add Remove Programs. This is likely the reason you are infected.

I will provide a lot of instructions at once, I am in no way trying to rush you and I encourage you to work carefully through them instructions. Those who follow the directions have few problems removing this infection.

1) Turn off SpybotSD TeaTimer, it will block changes we must make:
http://russelltexas.com/malware/teatimer.htm

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

3) Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(save the report and log untill you finish)


4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(items may be missing, removed by Vundofix. Do not be concerned)

(I also do not know how the BHODemon will effect this removal)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {19F0761B-8EC9-406E-B155-0B70069FE344} - C:\WINDOWS\system32\vtspp.dll
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\ljjhecd.dll
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\whdagraq.dll (disabled by BHODemon) G
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon) G
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O20 - Winlogon Notify: ljjhecd - C:\WINDOWS\SYSTEM32\ljjhecd.dll
O20 - Winlogon Notify: tuvurst - C:\WINDOWS\
O20 - Winlogon Notify: urqrsro - C:\WINDOWS\
O20 - Winlogon Notify: vtspp - C:\WINDOWS\system32\vtspp.dll
O20 - Winlogon Notify: xxyvspm - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Vundofix report and a new HJT log.

Thanks
 
sorry but i might did it wrong, if i did , correct me please!

i couldnt understand it well.i might done it wrong ,i'm not sure.
here is what i did. i did everything untill step3 (the vundo part)
now:
" Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. "
yes vundofix couldnt removed one of them ; * :oops: here stg strange happened: (my antivirus program nod32. one of its monitors were open and quarantined c:\Vundofix Backups\vtspp.dll.bad)"
,and vundofix wanted a reboot.i clicked ok.

-:oops:- then after reboot, i clicked, remove vundo button without clicking the scan for vundo button first!!!
here is my new hijack this log. sorry but i might did it wrong, if i did , correct me please!.. thanks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:53:08, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 8491 bytes
 
You did not post the Vundofix report? It is located here: C:\vundofix.txt It appears you used the tool OK but you missed a lot of junk with HJT.

When I see an item like this:
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
It has been disabled by http://www.definitivesolutions.com/bhodemon.htm <<< this program, so I removed those items. BHODemon is a program on your computer that has to be used by someone with access to the computer.
BHODemon may be stopping HJT from removing them, turn that program off and then use HJT.


Let's have another go with HJT, the instructions are as plain as I can make them:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {0E134279-1FF4-4A69-A2D1-87F48570D4F0} - (disabled by BHODemon)
O2 - BHO: (no name) - {211EE93F-0B1B-4AC4-BA16-25CEFF9CA793} - (no file)
O2 - BHO: (no name) - {2772CF0B-8E98-4251-851F-C4D0B47F87F2} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (disabled by BHODemon)
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {707886CA-80C6-4C75-8695-B512D5D2814A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {9AE0424B-AF71-4494-9FF7-CDA48E9AE98e} - C:\WINDOWS\system32\qnvddumu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\dktyjopw.dll (disabled by BHODemon)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll (disabled by BHODemon)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"


Post the Vundofix report and a new HJT log.

Thanks
 
here is my vundofix.log .yeah i just forgot to put it.

VundoFix V6.5.0

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 16:34:52 10.06.2007

Listing files found while scanning....

C:\windows\system32\bmrbgcoq.ini
C:\WINDOWS\system32\drutesmk.dll
C:\windows\system32\idlupwto.dll
C:\windows\system32\j2241430.dll
C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\lurnvptk.dll
C:\windows\system32\mcoinuka.exe
C:\windows\system32\otwpuldi.ini
C:\windows\system32\ppstv.bak1
C:\windows\system32\ppstv.bak2
C:\windows\system32\ppstv.ini
C:\windows\system32\ppstv.ini2
C:\windows\system32\qocgbrmb.dll
C:\windows\system32\rmhksdpv.dll
C:\WINDOWS\system32\ttyimdrc.dll
C:\windows\system32\vpdskhmr.ini
C:\WINDOWS\system32\vtspp.dll
C:\WINDOWS\system32\whdagraq.dll__BHODemonDisabled
C:\WINDOWS\system32\xktofual.dll

Beginning removal...

Attempting to delete C:\windows\system32\bmrbgcoq.ini
C:\windows\system32\bmrbgcoq.ini Has been deleted!

Attempting to delete C:\windows\system32\idlupwto.dll
C:\windows\system32\idlupwto.dll Has been deleted!

Attempting to delete C:\windows\system32\j2241430.dll
C:\windows\system32\j2241430.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\ljjhecd.dll Could not be deleted.

Attempting to delete C:\windows\system32\mcoinuka.exe
C:\windows\system32\mcoinuka.exe Has been deleted!

Attempting to delete C:\windows\system32\otwpuldi.ini
C:\windows\system32\otwpuldi.ini Has been deleted!

Attempting to delete C:\windows\system32\ppstv.bak1
C:\windows\system32\ppstv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\ppstv.bak2
C:\windows\system32\ppstv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\ppstv.ini
C:\windows\system32\ppstv.ini Has been deleted!

Attempting to delete C:\windows\system32\ppstv.ini2
C:\windows\system32\ppstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\qocgbrmb.dll
C:\windows\system32\qocgbrmb.dll Has been deleted!

Attempting to delete C:\windows\system32\rmhksdpv.dll
C:\windows\system32\rmhksdpv.dll Has been deleted!

Attempting to delete C:\windows\system32\vpdskhmr.ini
C:\windows\system32\vpdskhmr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtspp.dll
C:\WINDOWS\system32\vtspp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ljjhecd.dll
C:\WINDOWS\system32\ljjhecd.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
BHOdemon?? i read the link but i got confused...

hi pskelley.
i read the link about BHOdemon.somewhat understand what it is.
but i dont know how to close it,or where it is .which program on my computer is BHOdemon? i dont remember installing a program named BHOdemon, so i guess it must be installed secretly via internet with the help of some malwares.?!??
and areu saying this program is BHOdemon??
C:\Program Files\FlashGet\jccatch.dll

thanks
 
ps:correct me if i'm wrong!

and ps: i didnt get through the step 4 and 5 yet as is said earlier i just did the step3 : vundofix part+ hijackthis and send u the 2logs.
just trying to do what u say. right ?
( a reminder to prevent misunderstanding! :D:)
 
Who does this computer belong to? If it is yours, how can you not know what those two programs are? BHODemon no longer updates and is about obsolete and it would have been installed on the computer by someone, not as you are suggesting. Is there someone in the house who knows more about this computer than you do? I want to point out to you that these remote repairs are hard enough to do anyway, without being attempted by
someone who does not know what is installed on the computer.

Follow these directions but not until the instructions I posted earlier are completed!

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
 
i apreciate your help

i'm the owner of this pc, so the only one who uses this pc.but :either i installed a program like that by mistake and forgot ;or it must be insalled with some help of hackers or malwares-trojans-hijackers etc. Since there is no way to enter my apartment there is no physical contact with my pc except me:D:
and as for your instuctions; i would like to thank u very much.
i'm kind of jumpy and have attention deficency today :sick: (i dont know why though).but i'm really sorry for that.i'm trying to do my best to understand the insructions right.

i'll just repeat step3 if it's also alllright for u because i think i might did it wrong by mixing the order .let me do step 3 again real fast just in case to see everything is allright.:rolleyes:
ok here's what i'm supposed to do then
: step 4 ""Do a system scan only" stuff,
step5 "Run ATF Cleaner" ,
step 6 your instructions on (disabled by BHODemon) post Today, 18:21
and step 7 your last post 18:44 ( misc tools etc. stuff)
deal???
 
Thanks for that feedback, take your time and follow the directions carefully. When working on your computer is no time for rushing. Complete the instructions I posted and then post a HJT log and the uninstall list. We will go from there. When I get a look at your uninstall list, I will be better able to advise you. Let me know how the computer is running when you post also.

Thanks
 
hi pskelley i think this time i did it right

hi pskelley i think this time i did it right:cool::rolleyes:
here is my hjt log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:38:42, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 7261 bytes

and here is my uninstall log:
7-Zip 4.20
Ad-Aware SE Professional
Adobe Reader 7.0.9
Adobe® Photoshop® Album Starter Edition 3.0
ADSL Bilgilendiricisi (3.02)
ADSL Kota 1.1
Alarmlı Sayısal Saat Kaldır
Anti-Blaxx 1.17
Apple Software Update
ATI Display Driver
BSPlayer
Codec Pack - All In 1 5.0.6.0
Combined Community Codec Pack 2006-05-01 (Remove Only)
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Cracklock 3.8.8
Crystal Player Free 1.7
DAEMON Tools
DivX 4.12 Codec
Dungeon Lords
EAX Unified
EAX4 Unified Redist
FlashGet 1.8.2.1004
FlashGet(JetCar)
Fritz8
GameSpy Arcade
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Hamachi 0.9.9.9
Hide IP Platinum 2.2
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iolo technologies' System Mechanic Professional 6
iTunes
Java(TM) SE Development Kit 6 Update 1
Java(TM) SE Runtime Environment 6 Update 1
jv16 PowerTools 2006
Language pack for Ad-Aware SE
Macromedia Flash Player 8
Macromedia Shockwave Player
Matroska Pack - Lazy Man's MKV 0.9.9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 1.1 Turkish Language Pack
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 için Security Update (BB922770)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Reader
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (1.5.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
MySpaceIM
Nero Suite
NetLimiter 1.30 (remove only)
NOD32 antivirus system
Nokia Multimedia Player
NoteIT
Opera
Pack Vista Inspirat 1.1
Packard Bell - Skype 2.0
Packard Bell InfoCentre
Peer2Mail (remove only)
Photodex Presenter
Pro Evolution Soccer 5
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
SLD CODEC PACK 1.5
Sonic MyDVD
Sonic RecordNow!
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
The Core Media Player 4.0
USB Vibration Joystick
USB Video Device Driver
Westwood Shared Internet Components
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 Beta 3
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player (KB911564) için Güvenlik Güncelleştirmesi
Windows Media Player 10 (KB911565) için Güvenlik Güncelleştirmesi
Windows Media Player 10 (KB917734) için Güvenlik Güncelleştirmesi
Windows Media Player 11
Windows Media Player 11
Windows Media Player 6.4 (KB925398) için Güvenlik Güncelleştirmesi
Windows XP (KB923689) için Güvenlik Güncelleştirmesi
Windows XP Düzeltme - KB873339
Windows XP Düzeltme - KB885250
Windows XP Düzeltme - KB885835
Windows XP Düzeltme - KB885836
Windows XP Düzeltme - KB886185
Windows XP Düzeltme - KB887472
Windows XP Düzeltme - KB887742
Windows XP Düzeltme - KB888113
Windows XP Düzeltme - KB888302
Windows XP Düzeltme - KB890859
Windows XP Düzeltme - KB891781
Windows XP için Düzeltme (KB935448)
Windows XP için Güncelleştirme (KB894391)
Windows XP için Güncelleştirme (KB898461)
Windows XP için Güncelleştirme (KB900485)
Windows XP için Güncelleştirme (KB900930)
Windows XP için Güncelleştirme (KB910437)
Windows XP için Güncelleştirme (KB911280)
Windows XP için Güncelleştirme (KB916595)
Windows XP için Güncelleştirme (KB920872)
Windows XP için Güncelleştirme (KB922582)
Windows XP için Güncelleştirme (KB927891)
Windows XP için Güncelleştirme (KB929338)
Windows XP için Güncelleştirme (KB930916)
Windows XP için Güncelleştirme (KB931836)
Windows XP için Güvenlik Güncelleştirmesi (KB890046)
Windows XP için Güvenlik Güncelleştirmesi (KB893066)
Windows XP için Güvenlik Güncelleştirmesi (KB893756)
Windows XP için Güvenlik Güncelleştirmesi (KB896358)
Windows XP için Güvenlik Güncelleştirmesi (KB896422)
Windows XP için Güvenlik Güncelleştirmesi (KB896423)
Windows XP için Güvenlik Güncelleştirmesi (KB896424)
Windows XP için Güvenlik Güncelleştirmesi (KB896428)
Windows XP için Güvenlik Güncelleştirmesi (KB899587)
Windows XP için Güvenlik Güncelleştirmesi (KB899591)
Windows XP için Güvenlik Güncelleştirmesi (KB900725)
Windows XP için Güvenlik Güncelleştirmesi (KB901017)
Windows XP için Güvenlik Güncelleştirmesi (KB901214)
Windows XP için Güvenlik Güncelleştirmesi (KB902400)
Windows XP için Güvenlik Güncelleştirmesi (KB904706)
Windows XP için Güvenlik Güncelleştirmesi (KB905414)
Windows XP için Güvenlik Güncelleştirmesi (KB905749)
Windows XP için Güvenlik Güncelleştirmesi (KB905915)
Windows XP için Güvenlik Güncelleştirmesi (KB908519)
Windows XP için Güvenlik Güncelleştirmesi (KB908531)
Windows XP için Güvenlik Güncelleştirmesi (KB911562)
Windows XP için Güvenlik Güncelleştirmesi (KB911567)
Windows XP için Güvenlik Güncelleştirmesi (KB911927)
Windows XP için Güvenlik Güncelleştirmesi (KB912812)
Windows XP için Güvenlik Güncelleştirmesi (KB912919)
Windows XP için Güvenlik Güncelleştirmesi (KB913446)
Windows XP için Güvenlik Güncelleştirmesi (KB913580)
Windows XP için Güvenlik Güncelleştirmesi (KB914388)
Windows XP için Güvenlik Güncelleştirmesi (KB914389)
Windows XP için Güvenlik Güncelleştirmesi (KB916281)
Windows XP için Güvenlik Güncelleştirmesi (KB917159)
Windows XP için Güvenlik Güncelleştirmesi (KB917344)
Windows XP için Güvenlik Güncelleştirmesi (KB917422)
Windows XP için Güvenlik Güncelleştirmesi (KB917953)
Windows XP için Güvenlik Güncelleştirmesi (KB918118)
Windows XP için Güvenlik Güncelleştirmesi (KB918439)
Windows XP için Güvenlik Güncelleştirmesi (KB918899)
Windows XP için Güvenlik Güncelleştirmesi (KB919007)
Windows XP için Güvenlik Güncelleştirmesi (KB920213)
Windows XP için Güvenlik Güncelleştirmesi (KB920214)
Windows XP için Güvenlik Güncelleştirmesi (KB920670)
Windows XP için Güvenlik Güncelleştirmesi (KB920683)
Windows XP için Güvenlik Güncelleştirmesi (KB920685)
Windows XP için Güvenlik Güncelleştirmesi (KB921398)
Windows XP için Güvenlik Güncelleştirmesi (KB921883)
Windows XP için Güvenlik Güncelleştirmesi (KB922616)
Windows XP için Güvenlik Güncelleştirmesi (KB922819)
Windows XP için Güvenlik Güncelleştirmesi (KB923191)
Windows XP için Güvenlik Güncelleştirmesi (KB923414)
Windows XP için Güvenlik Güncelleştirmesi (KB923694)
Windows XP için Güvenlik Güncelleştirmesi (KB923980)
Windows XP için Güvenlik Güncelleştirmesi (KB924191)
Windows XP için Güvenlik Güncelleştirmesi (KB924270)
Windows XP için Güvenlik Güncelleştirmesi (KB924496)
Windows XP için Güvenlik Güncelleştirmesi (KB924667)
Windows XP için Güvenlik Güncelleştirmesi (KB925902)
Windows XP için Güvenlik Güncelleştirmesi (KB926255)
Windows XP için Güvenlik Güncelleştirmesi (KB926436)
Windows XP için Güvenlik Güncelleştirmesi (KB927779)
Windows XP için Güvenlik Güncelleştirmesi (KB927802)
Windows XP için Güvenlik Güncelleştirmesi (KB928255)
Windows XP için Güvenlik Güncelleştirmesi (KB928843)
Windows XP için Güvenlik Güncelleştirmesi (KB930178)
Windows XP için Güvenlik Güncelleştirmesi (KB931261)
Windows XP için Güvenlik Güncelleştirmesi (KB931784)
Windows XP için Güvenlik Güncelleştirmesi (KB932168)
WinRAR archiver
XnView 1.74
XviD MPEG-4 Video Codec
ZoneAlarm

thanks.
now what are we gonna do?
 
hey:)

+i think my computer runs faster and smoother then before.
-but it still has the resolution problem that i mentioned on my very first post.did u remeber.?
- i didnt checked if the safe mod problem is solved yet.

+just waiting for more of your instructions. to kick the trojans and other nasties out of my pc :)
ps: i just remembered i think i deleted a file called "winotify.dll" from ms-dos at yesterday or stg. that was before i read your posts. i was trying to delete some trojans and stupidly by accidently i erased that file. from the folder
c:\windows\system32 .
Was it an important file for windows or is was ita torjan? i fear it was a good file? do u think that will cause me alot of problems???
 
ps2

ps2: but it's not the file wlnotify.dll !!
it's winotify.dll (if i had such a file .i'm not even sure if dos has erased it,i'm not very familiar with ms-dos prompt
from c:\wındows\system32\
i wrote del "winotify.dll "
and the pc responded

c:windows\system32\

that's it .thanks again..:bigthumb:
 
Much improved:bigthumb: just a couple more items to remove with HJT but first let's look at the uninstall list. .

Uninstall list, this is what I advise.

You have programs that may be illegal, I am sure you know what they are.

I caution great care when downloading Codec, see this:
http://forums.spybot.info/showthread.php?t=7344

Mozilla Firefox (1.5.0.12) <<< out of date and unsafe, if you are going to have it on your computer you should keep it updated:
http://www.mozilla.com/en-US/

I do not see BHODemon installed on the computer?

You should have a look at the programs and get rid of stuff you no long use.
Do not touch hotfix, windows or mirosoft items.

Could you tell me what this program is for: Alarmli Sayisal Saat 2.11

Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 21:38:42, on 10.06.2007


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
(old Java line)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Follow these instructions to run cleanmgr
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and tell me how the computer is running now.

Thanks
 
hi again pskelley.more problems or ?

+ok.i did all of the insructs.
-well i think i exaggerated my laptops performance. it just became a little smother and faster.
-the 2 display problems are still present.
i run the HJT but 2 files cant be found.!!:spider:
O2 - BHO: (no name) - {65F5BA87-538F-43A7-ACA2-1CFE661560FF} - C:\WINDOWS\system32\vtspp.dll (file missing)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
(old Java line)
here is the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:47:42, on 10.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This V2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/tr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll (file missing)
O4 - HKLM\..\Run: [Alarmli Sayisal Saat 2.11] C:\PROGRA~1\KURYAZ~1\SAYISA~1\Saat.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui önceden yükleyicisi - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Bileşen Katergorileri önbellek daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://myspace-674.vo.llnwd.net/00508/47/63/508113674_l.jpg

--
End of file - 6882 bytes

-:oops:am i clean now? i'm kind of suspicious because after the last start up ,i opened SpybotSD1.4 +tea timer +sd helper and then checked the system start up tool inside SpybotSD: and it seems like all the trojans are in system.ini ?????:oops:
i dont think i did stg wrong; did i.there are 3 posibilites i guess:
1- either they came back from my opera browser; ?
2-or as i removed some stuff from the Spybot SD 1.4 - BHO's tool then they became active again . ?
3-or it happened because of the tea timer? ?
4-or Spybot is just kidding!?
 
ps:sayısal saat

ps:by the way "sayısal saat" is turkish program.it means digital alarm clock. well it's a digital alarm clock on desktop that can beep or even shut the laptop when the alarm is set.cool eh .:D:
 
1) Your HJT log is clean of malware

2) I don't use TeaTimer, give this a try to reset the TT memory:
Turn off Tea Timer (right-click its icon in the tray area near the windows close and choose exit)
and close SpyBot if open. Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
To your desktop, run ResetTeaTimer.bat.
Since it will not be needed again delete ResetTeaTimer.bat

3) Go to Start > Run, type System.ini and click Ok. The System.ini file will be displayed. Please copy and paste its contents in a reply.

4) If you have questions about Spybot, the place to find experts in Spybot issues to answer them is here:
http://forums.spybot.info/forumdisplay.php?f=4

5) Let's run a good scan looking for anything that might be hidden from HJT:
Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165

Post the results of the AVG Anti-Spyware scan and the System.ini file.

Thanks
 
Status
Not open for further replies.
Back
Top