Arkadaşlar 1 saat önce bir virüs girdi.Güvenli mod disinda program acamiyorum.Combofix kullandım ama log u nereye göndermeliyim.Analiz edebilecek varmı yada aramızda.
ComboFix 10-04-29.05 - Administrator 30.04.2010 20:58:15.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1055.18.2046.1588 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Administrator
c:\documents and settings\Administrator\Application Data\msnmsgr.exe
c:\documents and settings\Administrator\Application Data\ntcom.dll
c:\documents and settings\Administrator\eula.txt
C:\install.exe
c:\program files\Cheat Engine\dbk32.sys
c:\recycler\S-1-5-21-484763869-879983540-839522115-1005
c:\windows\hosts
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\msc.exe
c:\windows\msd.exe
c:\windows\mse.exe
c:\windows\msf.exe
c:\windows\msg.exe
c:\windows\msh.exe
c:\windows\msi.exe
c:\windows\msj.exe
c:\windows\msk.exe
c:\windows\msl.exe
c:\windows\msm.exe
c:\windows\msn.exe
c:\windows\mso.exe
c:\windows\msp.exe
c:\windows\msq.exe
c:\windows\msr.exe
c:\windows\mss.exe
c:\windows\mst.exe
c:\windows\msu.exe
c:\windows\msv.exe
c:\windows\msw.exe
c:\windows\msx.exe
c:\windows\msy.exe
c:\windows\msz.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\scrrntr.dll
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\snapapi32.dll
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SECURENTM
-------\Legacy_SYSTEMNTMI
-------\Service_securentm
-------\Service_systemntmi
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.
2010-04-30 17:31 . 2010-04-30 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vrnfioxyq
2010-04-30 17:27 . 2010-04-30 17:46 1958 ----a-w- c:\documents and settings\Administrator\Application Data\ntlog.sys
2010-04-29 16:11 . 2010-04-29 16:11 -------- d-----w- c:\windows\LastGood.Tmp
2010-04-29 15:54 . 2010-04-29 15:54 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-04-26 18:59 . 2010-04-26 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\261C5
2010-04-26 14:07 . 2010-04-26 14:07 -------- d-----w- C:\Sobee
2010-04-25 11:23 . 2010-04-25 11:23 56292 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-24 22:13 . 2010-04-24 22:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Inverse_Karma
2010-04-23 14:53 . 2010-04-23 14:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-23 10:56 . 2010-04-23 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\13290
2010-04-23 10:55 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\BearShare
2010-04-20 04:53 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\UserData
2010-04-19 14:29 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Tracing
2010-04-19 14:27 . 2010-04-19 14:27 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\Mozilla
2010-04-19 14:26 . 2010-04-19 14:26 71560 ----a-w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 14:26 . 2010-04-19 14:26 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\ATI
2010-04-19 14:26 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\LogMeIn Hamachi
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-s---w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\Microsoft
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Sık Kullanılanlar
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Belgelerim
2010-04-19 14:20 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap\Local Settings\Application Data\Microsoft
2010-04-19 14:20 . 2010-04-23 14:52 -------- d-s---w- c:\documents and settings\Ezik Hesap
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-16 20:04 . 2010-04-16 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Turbine
2010-04-16 17:48 . 2010-04-16 17:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Turbine
2010-04-16 17:43 . 2010-04-29 12:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-04-16 17:43 . 2010-04-16 17:43 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-04-16 17:41 . 2010-04-16 17:41 -------- d-----w- c:\windows\system32\URTTEMP
2010-04-16 17:14 . 2010-04-16 17:17 -------- d-----w- C:\Mount&Blade Warband
2010-04-16 14:36 . 2010-04-29 13:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2010-04-16 14:36 . 2010-04-16 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-16 14:35 . 2010-04-16 14:35 -------- d-----w- c:\program files\Pando Networks
2010-04-13 17:30 . 2010-04-13 17:30 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-04-09 15:04 . 2010-04-09 15:05 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-04-09 14:58 . 2010-04-09 15:04 -------- d-----w- C:\Call of Juarez - Bound in Blood
2010-04-09 14:52 . 2010-04-09 14:52 223128 ----a-w- c:\windows\system32\drivers\vaxscsi.sys
2010-04-03 08:33 . 2010-04-30 18:04 -------- d-----w- c:\program files\Steam
2010-04-02 17:05 . 2010-04-02 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mount&Blade Warband
2010-04-02 16:55 . 2010-04-02 16:55 -------- d-----w- c:\program files\Smart Projects
2010-03-31 19:18 . 2010-03-31 19:18 28672 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D1E1F028-1953-43A3-BFD8-D2A00EC06E36}\_EB52FE80E75B_486E_9850_195DAB8E8D59.exe
2010-03-31 19:18 . 2010-03-31 19:18 5185536 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D1E1F028-1953-43A3-BFD8-D2A00EC06E36}\RapeLay.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 13:47 . 2010-04-26 14:08 174592 ----a-w- c:\program files\mozilla firefox\plugins\libcurl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-12-20 09:51 87480 ----a-w- c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-12-27 12:30 504248 ----a-w- c:\program files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480]
[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-19 413696]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-18 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-12-26 196608]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 20:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programlar^Başlangıç^RocketDock.lnk]
backup=c:\windows\pss\RocketDock.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Counter Strike 1.6\\hl.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Call of Duty 4\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\airrivals\Launcher.atm"= d:\airrivals\Launcher.atm:Enabled:GameExe2
"d:\airrivals\Res-Voip\SCVoIP.exe"= d:\airrivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Leaf Networks\\Leaf\\bin\\Leaf.exe"=
"d:\\Pro Evolution Soccer 2010\\pes2010.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57085:TCP"= 57085:TCP
ando Media Booster
"57085:UDP"= 57085:UDPando Media Booster
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-05 19:18]
2010-04-30 c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- c:\windows\msal.exe [2009-12-07 10:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Microsoft Excel'e Gö&nder - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8448C732-4A12-4D9B-AB5A-8A71DFDF3420} = 8.8.8.8,8.8.4.4
TCP: {A75BC680-C95A-4445-B2F9-6C78987648A9} = 8.8.8.8,8.8.4.4
TCP: {C77385A4-D030-49F2-AFE2-0FFA653F06E3} = 8.8.8.8,8.8.4.4
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - (no file)
SafeBoot-Wdf01000.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 21:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbl.sys >>UNKNOWN [0x8A8EE938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7e09b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7d12bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d1fa21
SendHandler -> NDIS.sys @ 0xb7cfd87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\program files\Taskbar Shuffle\taskbarshuffle.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Pando Networks\Media Booster\PMB.exe
c:\documents and settings\Administrator\Local Settings\Application Data\vrnfioxyq\bkasxpftssd.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Steam\Steam.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Gigabyte\EasySaver\ESSVR.EXE
c:\program files\LogMeIn Hamachi\hamachi-2.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-30 21:07:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 18:07
Pre-Run: 8.876.851.200 bayt boş
Post-Run: 8.760.229.888 bayt boş
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 26371071BF32B61B9DBC322850578D1F
Antispayware Soft diye bir fake bulasti.Baska bir çözümü olan varsa söyliyebilirmi?
ComboFix 10-04-29.05 - Administrator 30.04.2010 20:58:15.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1254.90.1055.18.2046.1588 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Administrator
c:\documents and settings\Administrator\Application Data\msnmsgr.exe
c:\documents and settings\Administrator\Application Data\ntcom.dll
c:\documents and settings\Administrator\eula.txt
C:\install.exe
c:\program files\Cheat Engine\dbk32.sys
c:\recycler\S-1-5-21-484763869-879983540-839522115-1005
c:\windows\hosts
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\msc.exe
c:\windows\msd.exe
c:\windows\mse.exe
c:\windows\msf.exe
c:\windows\msg.exe
c:\windows\msh.exe
c:\windows\msi.exe
c:\windows\msj.exe
c:\windows\msk.exe
c:\windows\msl.exe
c:\windows\msm.exe
c:\windows\msn.exe
c:\windows\mso.exe
c:\windows\msp.exe
c:\windows\msq.exe
c:\windows\msr.exe
c:\windows\mss.exe
c:\windows\mst.exe
c:\windows\msu.exe
c:\windows\msv.exe
c:\windows\msw.exe
c:\windows\msx.exe
c:\windows\msy.exe
c:\windows\msz.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\scrrntr.dll
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\snapapi32.dll
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SECURENTM
-------\Legacy_SYSTEMNTMI
-------\Service_securentm
-------\Service_systemntmi
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.
2010-04-30 17:31 . 2010-04-30 17:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\vrnfioxyq
2010-04-30 17:27 . 2010-04-30 17:46 1958 ----a-w- c:\documents and settings\Administrator\Application Data\ntlog.sys
2010-04-29 16:11 . 2010-04-29 16:11 -------- d-----w- c:\windows\LastGood.Tmp
2010-04-29 15:54 . 2010-04-29 15:54 -------- d-----w- c:\program files\TeamSpeak 3 Client
2010-04-26 18:59 . 2010-04-26 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\261C5
2010-04-26 14:07 . 2010-04-26 14:07 -------- d-----w- C:\Sobee
2010-04-25 11:23 . 2010-04-25 11:23 56292 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-24 22:13 . 2010-04-24 22:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Inverse_Karma
2010-04-23 14:53 . 2010-04-23 14:53 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-23 10:56 . 2010-04-23 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\13290
2010-04-23 10:55 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\BearShare
2010-04-20 04:53 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\UserData
2010-04-19 14:29 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Tracing
2010-04-19 14:27 . 2010-04-19 14:27 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\Mozilla
2010-04-19 14:26 . 2010-04-19 14:26 71560 ----a-w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 14:26 . 2010-04-19 14:26 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\ATI
2010-04-19 14:26 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\LogMeIn Hamachi
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-s---w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Local Settings\Application Data\Microsoft
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Sık Kullanılanlar
2010-04-19 14:24 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap.OEM-2E99CAEED74\Belgelerim
2010-04-19 14:20 . 2010-04-23 14:51 -------- d-----w- c:\documents and settings\Ezik Hesap\Local Settings\Application Data\Microsoft
2010-04-19 14:20 . 2010-04-23 14:52 -------- d-s---w- c:\documents and settings\Ezik Hesap
2010-04-16 20:26 . 2010-04-16 20:26 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-04-16 20:04 . 2010-04-16 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Turbine
2010-04-16 17:48 . 2010-04-16 17:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Turbine
2010-04-16 17:43 . 2010-04-29 12:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-04-16 17:43 . 2010-04-16 17:43 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2010-04-16 17:41 . 2010-04-16 17:41 -------- d-----w- c:\windows\system32\URTTEMP
2010-04-16 17:14 . 2010-04-16 17:17 -------- d-----w- C:\Mount&Blade Warband
2010-04-16 14:36 . 2010-04-29 13:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2010-04-16 14:36 . 2010-04-16 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-04-16 14:35 . 2010-04-16 14:35 -------- d-----w- c:\program files\Pando Networks
2010-04-13 17:30 . 2010-04-13 17:30 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-04-09 15:04 . 2010-04-09 15:05 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-04-09 14:58 . 2010-04-09 15:04 -------- d-----w- C:\Call of Juarez - Bound in Blood
2010-04-09 14:52 . 2010-04-09 14:52 223128 ----a-w- c:\windows\system32\drivers\vaxscsi.sys
2010-04-03 08:33 . 2010-04-30 18:04 -------- d-----w- c:\program files\Steam
2010-04-02 17:05 . 2010-04-02 20:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Mount&Blade Warband
2010-04-02 16:55 . 2010-04-02 16:55 -------- d-----w- c:\program files\Smart Projects
2010-03-31 19:18 . 2010-03-31 19:18 28672 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D1E1F028-1953-43A3-BFD8-D2A00EC06E36}\_EB52FE80E75B_486E_9850_195DAB8E8D59.exe
2010-03-31 19:18 . 2010-03-31 19:18 5185536 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D1E1F028-1953-43A3-BFD8-D2A00EC06E36}\RapeLay.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 13:47 . 2010-04-26 14:08 174592 ----a-w- c:\program files\mozilla firefox\plugins\libcurl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}]
2009-12-20 09:51 87480 ----a-w- c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-12-27 12:30 504248 ----a-w- c:\program files\BearShare Applications\MediaBar\DataMngr\IEBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\program files\BearShare Applications\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480]
[HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-19 413696]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-18 98304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2006-12-26 196608]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 20:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programlar^Başlangıç^RocketDock.lnk]
backup=c:\windows\pss\RocketDock.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Counter Strike 1.6\\hl.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Call of Duty 4\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\airrivals\Launcher.atm"= d:\airrivals\Launcher.atm:Enabled:GameExe2
"d:\airrivals\Res-Voip\SCVoIP.exe"= d:\airrivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Leaf Networks\\Leaf\\bin\\Leaf.exe"=
"d:\\Pro Evolution Soccer 2010\\pes2010.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57085:TCP"= 57085:TCP
ando Media Booster"57085:UDP"= 57085:UDP
ando Media BoosterS3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-10-05 19:18]
2010-04-30 c:\windows\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
- c:\windows\msal.exe [2009-12-07 10:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Microsoft Excel'e Gö&nder - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {8448C732-4A12-4D9B-AB5A-8A71DFDF3420} = 8.8.8.8,8.8.4.4
TCP: {A75BC680-C95A-4445-B2F9-6C78987648A9} = 8.8.8.8,8.8.4.4
TCP: {C77385A4-D030-49F2-AFE2-0FFA653F06E3} = 8.8.8.8,8.8.4.4
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - (no file)
SafeBoot-Wdf01000.sys
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 21:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbl.sys >>UNKNOWN [0x8A8EE938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7e74cb8
\Driver\atapi -> atapi.sys @ 0xb7e09b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb7d12bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d1fa21
SendHandler -> NDIS.sys @ 0xb7cfd87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\BearShare Applications\MediaBar\DataMngr\DataMngrUI.exe
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\program files\Taskbar Shuffle\taskbarshuffle.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Pando Networks\Media Booster\PMB.exe
c:\documents and settings\Administrator\Local Settings\Application Data\vrnfioxyq\bkasxpftssd.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Steam\Steam.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Gigabyte\EasySaver\ESSVR.EXE
c:\program files\LogMeIn Hamachi\hamachi-2.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-30 21:07:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 18:07
Pre-Run: 8.876.851.200 bayt boş
Post-Run: 8.760.229.888 bayt boş
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 26371071BF32B61B9DBC322850578D1F
Antispayware Soft diye bir fake bulasti.Baska bir çözümü olan varsa söyliyebilirmi?
ben combofix ile bi internet cafe temizledim 
