ARKADAŞLAR COMBOFİXİ ÇALIŞTIRDIM.SNRA SES GELMEMEYE BAŞLADI.
ComboFix 13-07-18.01 - emre 18.07.2013 13:05:29.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1055.18.502.290 [GMT 3:00]
Running from: c:\documents and settings\emre\Belgelerim\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AUDIOSRV
-------\Service_AudioSrv
.
.
((((((((((((((((((((((((( Files Created from 2013-06-18 to 2013-07-18 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 17:45 . 2012-05-31 11:30 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 17:45 . 2012-05-31 11:30 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 17:45 . 2013-05-15 07:46 17617288 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-06-16 138096]
"uTorrent"="c:\documents and settings\emre\Belgelerim\Downloads\uTorrent.exe" [2013-03-23 1037648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Hatırlatıcı.lnk]
path=c:\documents and settings\All Users\Start Menu\Programlar\Başlangıç\Hatırlatıcı.lnk
backup=c:\windows\pss\Hatırlatıcı.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-06-06 07:06 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2006-03-02 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DATAMNGR]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-06 10:02 136176 ----atw- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-27 13:38 162328 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-27 13:38 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 21:57 1667584 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:10 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-27 13:38 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-05-10 15:08 16342528 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 06:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2013-03-23 07:28 1037648 ----a-w- c:\documents and settings\emre\Belgelerim\Downloads\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Documents and Settings\\emre\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\emre\\Belgelerim\\Downloads\\uTorrent.exe"=
"c:\\Documents and Settings\\emre\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-31 17:45]
.
2013-07-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004Core.job
- c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-06-16 15:39]
.
2013-07-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004UA.job
- c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-06-16 15:39]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 09:24]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 09:24]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004Core.job
- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-06 10:02]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004UA.job
- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-06 10:02]
.
2013-07-18 c:\windows\Tasks\User_Feed_Synchronization-{1EA4C2B8-1B75-41D6-9823-F2F702BB5AE2}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dusunceniz.com
uInternet Settings,ProxyOverride = local
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C0CC9B3E-B42C-4342-936D-584E8B5CC53A}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{EB081C2A-7093-46AD-841B-DC9679856427}: NameServer = 8.8.8.8,8.8.4.4
DPF: {E55FD215-A32E-43FE-A777-A7E8F165F560} - hxxp://92.51.137.94/objects/NpFv522.dll
FF - ProfilePath - c:\documents and settings\emre\Application Data\Mozilla\Firefox\Profiles\k7n11vgc.default\
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=303a8bcd000000000000001b3879af4e&q=
FF - user.js: extensions.BabylonToolbar.id - 303a8bcd000000000000001b3879af4e
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15626
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.0.7
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.0.7
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.0.718:30
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-18 13:14
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] [MENTION=83344]Deni[/MENTION]ed: (Full) (Everyone)
"scansk"=hex(0):01,d9,ab,7d,cf,72,70,e7,fa,3c,8a,d7,fb,58,0e,15,3b,00,a4,0e,94,
95,14,93,fa,25,9e,f9,31,f8,c2,74,a2,0e,5d,cb,a9,64,8b,e3,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] [MENTION=83344]Deni[/MENTION]ed: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e08668c1-9d1a-4ec5-8a54-1475acded1c0}] [MENTION=83344]Deni[/MENTION]ed: (Full) (Everyone)
"Model"=dword:0000005b
"Therad"=dword:0000002b
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,15,ef,a1,46,54,19,6c,0d,35,95,e0,f3,7c,6d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] [MENTION=83344]Deni[/MENTION]ed: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\browselc.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2013-07-18 13:19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-18 10:19
ComboFix2.txt 2013-06-03 07:09
ComboFix3.txt 2012-09-22 06:50
ComboFix4.txt 2012-02-01 10:04
ComboFix5.txt 2013-07-18 09:59
.
Pre-Run: 46.302.584.832 bayt boş
Post-Run: 46.220.996.608 bayt boş
.
- - End Of File - - C65A9110E380AD8B9981FB90AA14CA3F
988ED281FD011A58DAB7E4AE71DED8F5
BUYRUN COMBOFİX RAPORU
ComboFix 13-07-18.01 - emre 18.07.2013 13:05:29.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.90.1055.18.502.290 [GMT 3:00]
Running from: c:\documents and settings\emre\Belgelerim\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AUDIOSRV
-------\Service_AudioSrv
.
.
((((((((((((((((((((((((( Files Created from 2013-06-18 to 2013-07-18 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 17:45 . 2012-05-31 11:30 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 17:45 . 2012-05-31 11:30 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-12 17:45 . 2013-05-15 07:46 17617288 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2013-06-16 138096]
"uTorrent"="c:\documents and settings\emre\Belgelerim\Downloads\uTorrent.exe" [2013-03-23 1037648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Hatırlatıcı.lnk]
path=c:\documents and settings\All Users\Start Menu\Programlar\Başlangıç\Hatırlatıcı.lnk
backup=c:\windows\pss\Hatırlatıcı.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-06-06 07:06 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2006-03-02 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DATAMNGR]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-06 10:02 136176 ----atw- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 21:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-27 13:38 162328 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-27 13:38 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-03 21:57 1667584 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 19:10 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-27 13:38 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-05-10 15:08 16342528 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 06:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2013-03-23 07:28 1037648 ----a-w- c:\documents and settings\emre\Belgelerim\Downloads\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Documents and Settings\\emre\\Application Data\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\emre\\Belgelerim\\Downloads\\uTorrent.exe"=
"c:\\Documents and Settings\\emre\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-31 17:45]
.
2013-07-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004Core.job
- c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-06-16 15:39]
.
2013-07-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004UA.job
- c:\documents and settings\emre\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2013-06-16 15:39]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 09:24]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 09:24]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004Core.job
- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-06 10:02]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1637723038-725345543-1004UA.job
- c:\documents and settings\emre\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-06 10:02]
.
2013-07-18 c:\windows\Tasks\User_Feed_Synchronization-{1EA4C2B8-1B75-41D6-9823-F2F702BB5AE2}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dusunceniz.com
uInternet Settings,ProxyOverride = local
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C0CC9B3E-B42C-4342-936D-584E8B5CC53A}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{EB081C2A-7093-46AD-841B-DC9679856427}: NameServer = 8.8.8.8,8.8.4.4
DPF: {E55FD215-A32E-43FE-A777-A7E8F165F560} - hxxp://92.51.137.94/objects/NpFv522.dll
FF - ProfilePath - c:\documents and settings\emre\Application Data\Mozilla\Firefox\Profiles\k7n11vgc.default\
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=303a8bcd000000000000001b3879af4e&q=
FF - user.js: extensions.BabylonToolbar.id - 303a8bcd000000000000001b3879af4e
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15626
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.0.7
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.0.7
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.0.718:30
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-18 13:14
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] [MENTION=83344]Deni[/MENTION]ed: (Full) (Everyone)
"scansk"=hex(0):01,d9,ab,7d,cf,72,70,e7,fa,3c,8a,d7,fb,58,0e,15,3b,00,a4,0e,94,
95,14,93,fa,25,9e,f9,31,f8,c2,74,a2,0e,5d,cb,a9,64,8b,e3,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] [MENTION=83344]Deni[/MENTION]ed: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e08668c1-9d1a-4ec5-8a54-1475acded1c0}] [MENTION=83344]Deni[/MENTION]ed: (Full) (Everyone)
"Model"=dword:0000005b
"Therad"=dword:0000002b
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,15,ef,a1,46,54,19,6c,0d,35,95,e0,f3,7c,6d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] [MENTION=83344]Deni[/MENTION]ed: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\browselc.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\mfevtps.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2013-07-18 13:19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-18 10:19
ComboFix2.txt 2013-06-03 07:09
ComboFix3.txt 2012-09-22 06:50
ComboFix4.txt 2012-02-01 10:04
ComboFix5.txt 2013-07-18 09:59
.
Pre-Run: 46.302.584.832 bayt boş
Post-Run: 46.220.996.608 bayt boş
.
- - End Of File - - C65A9110E380AD8B9981FB90AA14CA3F
988ED281FD011A58DAB7E4AE71DED8F5
BUYRUN COMBOFİX RAPORU
