Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me Some Problem A Possible Malware!


  • Please log in to reply
30 replies to this topic

#1 DarkNight

DarkNight

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 06 November 2007 - 07:57 AM

I scan my computer with AVG Anti Spyware and AVG Anti Virus and nothing comes up
My Windows Movie Maker 2.1 have missing transitions and effects,my startup time is 10 minutes,Internet Explorer 7 refuse to connect,Firefox freeze up after 2 hours and have to be killed with Task Manager and in Event Viewer it shows that I have tons of warnings and errors and also,I have to use a proxy site to access half of the website I regulary visit
help me please,it is worry me badly
Ryson



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:38 PM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Documents and Settings\oem\Application Data\Maxthon2\Maxthon.exe
C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://java.sun.com/products/javawebstart/demos.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Windows Xp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: System Update (SUService) - Unknown owner - c:\program files\lenovo\system update\suservice.exe (file missing)
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 12748 bytes

Edited by DarkNight, 06 November 2007 - 08:53 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 06 November 2007 - 11:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum DarkNight :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Windows Xp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Please post the contents of the logfile C:\fixwareout\report.txt into your next reply.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 06 November 2007 - 08:59 PM

ok thanks for your help i do all of it after i finish my school :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 07 November 2007 - 03:30 AM

Ok,thanks for the update.
Posted Image
Posted Image

#5 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 07 November 2007 - 11:40 AM

Uh,Richie,big problem,I cannot uninstall the java thing!!
both of them(there is only two)said"The feature you are trying to use is on a network resource that is unavailable"
"CLick ok to try again,or enter an alternate path to folder containing the installion package "jdk 1.6.0_02.msi' in the box below"
and it is trying to uninstall from WIndows XP,my old computer account which i deledted it 2 weeks ago.
WHat Am I going to do?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 07 November 2007 - 11:52 AM

Forget the Java update for now,carry on with the rest of the instructions please.
Posted Image
Posted Image

#7 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 07 November 2007 - 11:58 AM

ok Richie,be back with the result in 10 minutes or so :thumbsup:

#8 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 07 November 2007 - 12:16 PM

Username "oem" - 11/08/2007 1:00:05 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.92 85.255.112.112" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}
"nameserver"="85.255.114.92,85.255.112.112" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1AD2A6CB-1EB3-42F4-8D08-3ED79A72208F}
"DhcpNameServer"="85.255.114.92,85.255.112.112" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"StartupFaster"="\"C:\\Program Files\\Startup Faster 2004\\StrpFstCfg.exe\" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\Ashampoo FireWall]
"Desc"="Ashampoo FireWall"
"CmdLine"="\"C:\\Program Files\\Ashampoo\\Ashampoo FireWall\\FireWall.exe\" -TRAY"
"Icon"="C:\\Program Files\\Ashampoo\\Ashampoo FireWall\\FireWall.exe"
"DelayTime"=dword:00000c80
"Enable"=dword:00000001
"Order"=dword:0000000a
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\AVG7_CC]
"Desc"="AVG7_CC"
"CmdLine"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"Icon"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"
"DelayTime"=dword:00000fa0
"Enable"=dword:00000001
"Order"=dword:00000009
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\BigDog305]
"Desc"="BigDog305"
"CmdLine"="C:\\WINDOWS\\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)"
"Icon"="C:\\WINDOWS\\VM305_STI.EXE"
"DelayTime"=dword:00000000
"Enable"=dword:00000001
"Order"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\cFosSpeed]
"Desc"="cFosSpeed"
"CmdLine"="C:\\Program Files\\cFosSpeed\\cFosSpeed.exe"
"Icon"="C:\\Program Files\\cFosSpeed\\cFosSpeed.exe"
"DelayTime"=dword:00000000
"Enable"=dword:00000001
"Order"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\DefragTaskBar]
"Desc"="DefragTaskBar"
"CmdLine"="\"C:\\Program Files\\Ashampoo\\Ashampoo Magical Defrag 2\\bin\\defragTaskBar.exe\""
"Icon"="C:\\Program Files\\Ashampoo\\Ashampoo Magical Defrag 2\\bin\\defragTaskBar.exe"
"DelayTime"=dword:00000000
"Enable"=dword:00000001
"Order"=dword:00000006
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\SoundMan]
"Desc"="SoundMan"
"CmdLine"="SOUNDMAN.EXE"
"Icon"="C:\\WINDOWS\\soundman.exe"
"DelayTime"=dword:00000ed8
"Enable"=dword:00000001
"Order"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\Startup Faster Agent]
"Desc"="Startup Faster Agent"
"CmdLine"="C:\\Program Files\\Startup Faster 2004\\sfAgent.exe"
"Icon"="C:\\Program Files\\Startup Faster 2004\\sfAgent.exe"
"DelayTime"=dword:00000000
"Enable"=dword:00000001
"Order"=dword:00000007
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\StartupFaster\SunJavaUpdateSched]
"Desc"="SunJavaUpdateSched"
"CmdLine"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"Icon"="C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe"
"DelayTime"=dword:00000000
"Enable"=dword:00000001
"Order"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupFaster]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupFaster\ctfmon.exe]
"Desc"="ctfmon.exe"
"CmdLine"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Icon"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DelayTime"=dword:00000708
"Enable"=dword:00000001
"Order"=dword:00000002
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupFaster\EPSON Stylus C45 Series]
"Desc"="EPSON Stylus C45 Series"
"CmdLine"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /M \"Stylus C45\" /EF \"HKCU\""
"Icon"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE"
"DelayTime"=dword:00000af0
"Enable"=dword:00000001
"Order"=dword:00000003
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupFaster\SuperAdBlocker]
"Desc"="SuperAdBlocker"
"CmdLine"="C:\\Program Files\\SuperAdBlocker.com\\Super Ad Blocker\\SAdBlock.exe"
"Icon"="C:\\Program Files\\SuperAdBlocker.com\\Super Ad Blocker\\SAdBlock.exe"
"DelayTime"=dword:00001130
"Enable"=dword:00000001
"Order"=dword:00000008
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#9 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 07 November 2007 - 12:37 PM

I'll do the combo thing tommorow after school,I'm getting sleepy,lol
Have a good dream and don't let the bed buys bites :thumbsup:
lol sorry,couldn't resist

#10 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 10 November 2007 - 07:01 AM

ComboFix 07-11-08.3 - oem 2007-11-10 19:43:21.1 - NTFSx86
Running from: C:\Documents and Settings\oem\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\sysdm.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-11-10 17:47 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-10 17:47 47,360 -ra------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2007-11-10 17:47 47,104 -ra------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2007-11-10 17:47 42,112 -ra------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2007-11-10 17:47 39,808 -ra------ C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2007-11-10 17:47 32,000 -ra------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2007-11-10 17:46 <DIR> d-------- C:\Program Files\SRS Labs
2007-11-10 17:45 24,801 --a------ C:\cc_20071110_1745.reg
2007-11-07 19:51 683,984 -ra------ C:\WINDOWS\system32\drivers\cfosspeed.sys
2007-11-07 19:46 <DIR> d-------- C:\Program Files\cFosSpeed
2007-11-07 19:46 281,552 --a------ C:\WINDOWS\system32\cfosspeed.dll
2007-11-07 11:26 <DIR> d-------- C:\Program Files\Antenna
2007-11-05 22:33 48,346 --a------ C:\cc_20071105_2233.reg
2007-11-02 11:39 <DIR> d-------- C:\Program Files\Siber Systems
2007-11-02 11:30 <DIR> d-------- C:\Program Files\Download Direct
2007-11-02 11:27 23 --a------ C:\Program Files\hfkud16.sys
2007-11-02 11:26 <DIR> d-------- C:\Program Files\TVPlayerClassic
2007-11-02 11:21 <DIR> d-------- C:\My Media Files
2007-11-02 11:06 17,005 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-11-02 11:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2007-11-02 11:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2007-11-02 11:05 <DIR> d-------- C:\Program Files\Aurora Media Workshop
2007-10-28 23:07 <DIR> d-------- C:\Documents and Settings\oem\Application Data\SuperAdBlocker.com
2007-10-28 23:04 <DIR> d-------- C:\Program Files\SuperAdBlocker.com
2007-10-22 11:22 <DIR> d-------- C:\Program Files\Connection Keeper
2007-10-22 11:22 <DIR> d-------- C:\Program Files\Common Files\System-G
2007-10-22 11:01 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-10-22 11:00 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2007-10-16 00:46 <DIR> d-------- C:\Program Files\ColorPic 4.1
2007-10-16 00:46 134,118 --a------ C:\WINDOWS\ColorPic Uninstaller.exe
2007-10-13 22:42 <DIR> d-------- C:\Documents and Settings\oem\Application Data\Maxthon2
2007-10-13 22:24 <DIR> d-------- C:\Program Files\Startup Faster 2004
2007-10-13 21:20 <DIR> d-------- C:\Documents and Settings\oem\Application Data\Ulead Systems
2007-10-13 15:57 <DIR> d-------- C:\Documents and Settings\oem\Application Data\Grisoft
2007-10-12 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-12 16:13 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-10-12 14:44 42,672 --------- C:\WINDOWS\system32\wbsys.dll
2007-10-12 14:42 22,794 --a------ C:\cc_20071012_1442.reg
2007-10-12 14:34 <DIR> d-------- C:\Program Files\Invisible Browsing
2007-10-12 14:24 <DIR> d-------- C:\Program Files\Webcam Surveyor
2007-10-12 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WebacamSurveyor
2007-10-10 23:47 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-10 23:40 584,192 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-10 02:04 <DIR> d-------- C:\WINDOWS\system32\VIRepair

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 11:39 --------- d-----w C:\Program Files\Trillian
2007-11-10 09:54 --------- d-----w C:\Program Files\Mass Downloader
2007-11-10 09:54 --------- d-----w C:\Program Files\Magic Music Factory
2007-11-10 09:29 --------- d-----w C:\Documents and Settings\oem\Application Data\BearShare
2007-11-10 08:06 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-10 08:06 --------- d-----w C:\Program Files\SpeedBit Video Accelerator
2007-11-10 08:06 --------- d-----w C:\Program Files\QT Lite
2007-11-10 08:06 --------- d-----w C:\Program Files\FlashGet
2007-11-10 07:58 --------- d-----w C:\Program Files\Uniblue
2007-11-10 07:58 --------- d-----w C:\Documents and Settings\oem\Application Data\Uniblue
2007-11-08 13:12 --------- d-----w C:\Documents and Settings\oem\Application Data\Audacity
2007-11-05 14:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 14:31 --------- d-----w C:\Documents and Settings\oem\Application Data\SUPERAntiSpyware.com
2007-11-02 11:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\RoboForm
2007-10-31 23:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-31 22:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-10-31 16:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-25 14:58 --------- d-----w C:\Program Files\Opera 9
2007-10-22 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2007-10-22 02:59 --------- d-----w C:\Program Files\TechSmith
2007-10-13 15:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-13 15:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-12 12:16 --------- d-----w C:\Program Files\Ashampoo
2007-10-12 06:44 --------- d-----w C:\Program Files\Stardock
2007-10-12 06:40 --------- d-----w C:\Documents and Settings\oem\Application Data\Netscape
2007-10-05 18:36 --------- d-----w C:\Program Files\Pointstone
2007-10-05 18:26 --------- d-----w C:\Program Files\ProxyShell
2007-10-05 18:05 --------- d-----w C:\Program Files\DAP
2007-10-02 10:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-25 14:58 --------- d-----w C:\Documents and Settings\oem\Application Data\AVG7
2007-09-20 16:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-18 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-09-18 02:20 --------- d-----w C:\Program Files\USB Safely Remove
2007-09-18 02:20 --------- d-----w C:\Documents and Settings\oem\Application Data\USBSafelyRemove
2007-09-10 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-08-11 14:46 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-08-11 14:20 441 ----a-w C:\bootbak.bat
2007-07-05 09:08 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2006-07-28 12:34 19,552 ----a-w C:\Documents and Settings\oem\Application Data\GDIPFONTCACHEV1.DAT
2007-07-06 10:46:00 88 --sha-r C:\WINDOWS\system32\FCE5905A8A.sys
2007-07-06 11:45:27 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartupFaster"="C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" [2006-07-08 11:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2007-10-26 16:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\resources\\Logon\\Consumation\\Consumation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 07:29:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-10 07:58:37 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
"2007-05-01 04:09:10 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 19:51:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 19:53:01
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:50 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\oem\Application Data\Maxthon2\Maxthon.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://java.sun.com/products/javawebstart/demos.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: System Update (SUService) - Unknown owner - c:\program files\lenovo\system update\suservice.exe (file missing)
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 12217 bytes


sorry i didn't do this fast enough,I didn't have enough ttime lately

#11 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 10 November 2007 - 07:03 AM

btw,I install two software,and remove two or three,just to remind you

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 10 November 2007 - 07:52 AM

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Download\unzip SilentRunners.vbs to your desktop:
http://www.silentrunners.org/Silent%20Runners.zip
Run Silent Runner's by double clicking the 'SilentRunners.vbs' icon.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log and paste it into your next reply.
*NOTE*
If you receive any warning message about scripts,please choose to allow the script to run.

Also post a new Hijackthis log.

NOTE:
After posting the next log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised.
Doing so can result in system changes which may not show it the log you already posted.
Further, any modifications you make may cause confusion and could complicate any/the malware removal process.
Posted Image
Posted Image

#13 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 10 November 2007 - 06:59 PM

4169.2.3;C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\PERSISTENT\5;Modification of Win32.Savior.1832;Moved.;
AsyncEx.ax;C:\Program Files\Ares;Trojan.KeyLogger.origin;Incurable.Moved.;
TcpIpPatcherDll.dll;C:\Program Files\Ares;Trojan.DownLoader.origin;Incurable.Moved.;
NMSAccess.exe;C:\Program Files\CDBurnerXP Pro 3\Tools;Program.PsKill.origin;Incurable.Moved.;
backup-20070705-235456-170.dll;C:\Program Files\HijackThis\backups;Adware.Neobar;Incurable.Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
A0303002.exe;C:\System Volume Information\_restore{5E779328-532A-4F3E-AD22-EC74576178D0}\RP367;Tool.CloseApp;Incurable.Moved.;
A0306698.exe;C:\System Volume Information\_restore{5E779328-532A-4F3E-AD22-EC74576178D0}\RP370;Tool.CloseApp;Incurable.Moved.;
A0334525.exe;C:\System Volume Information\_restore{5E779328-532A-4F3E-AD22-EC74576178D0}\RP401;Trojan.Click.origin;Incurable.Moved.;
A0334643.ax;C:\System Volume Information\_restore{5E779328-532A-4F3E-AD22-EC74576178D0}\RP403;Trojan.KeyLogger.origin;Incurable.Moved.;
A0334644.dll;C:\System Volume Information\_restore{5E779328-532A-4F3E-AD22-EC74576178D0}\RP403;Trojan.DownLoader.origin;Incurable.Moved.;
closeapp.exe;C:\WINDOWS\system32;Tool.CloseApp;Incurable.Moved.;

Good Morning!
Sorry it ttook so long,I ran it and fell asleep,so today,in the morning I do the MOved Incurable thing you told me to
btw,out of interested,what does DrWeb-CureIt do?

EDIT:
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartupFaster" = ""C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP" ["URSoft,Inc"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000000-6C30-11D8-9363-000AE6309654}\(Default) = "SuperAdBlockerBHO Class"
-> {HKLM...CLSID} = "SuperAdBlockerBHO Class"
\InProcServer32\(Default) = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll" ["SuperAdBlocker.com"]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{69A87B7D-DE56-4136-9655-716BA50C19C7}\(Default) = "Google Web Accelerator Helper"
-> {HKLM...CLSID} = "&Google Web Accelerator Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{B930BA63-9E5A-11D3-A288-0000E80E2EDE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IECatcher Class"
\InProcServer32\(Default) = "C:\PROGRA~1\MASSDO~1\MDHELPER.DLL" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{B4B3001E-0F56-4E51-8250-BDE11547EC55}" = "Super Ad Blocker Toolbar"
-> {HKLM...CLSID} = "Super Ad Blocker Toolbar"
\InProcServer32\(Default) = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSEHB.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SABWinLogon\DLLName = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\oem\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" [file not found]
"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s" [file not found]
"Uniblue SpeedUpMyPC" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 01 - 05, 14
%SystemRoot%\system32\mswsock.dll [MS], 06 - 13, 15 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 18 - 19


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{B4B3001E-0F56-4E51-8250-BDE11547EC55}"
-> {HKLM...CLSID} = "Super Ad Blocker Toolbar"
\InProcServer32\(Default) = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll" [null data]
"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" = (no title provided)
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{B4B3001E-0F56-4E51-8250-BDE11547EC55}" = (no title provided)
-> {HKLM...CLSID} = "Super Ad Blocker Toolbar"
\InProcServer32\(Default) = "C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll" [null data]
"{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided)
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{0FD01980-CCCB-11D3-80D4-0000E80E2EDE}\
"ButtonText" = "Mass Downloader"
"MenuText" = "&Mass Downloader"
"Exec" = "C:\Program Files\Mass Downloader\massdown.exe" ["MetaProducts corp."]

{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]

{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RoboForm Toolbar"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*b" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "DesktopItemNavigationFailure" = "res://shdoclc.dll/navcancl.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AshampooDefragService, AshampooDefragService, "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe" [" "]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Capture Device Service, Capture Device Service, ""C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe"" ["InterVideo Inc."]
cFosSpeed System Service, cFosSpeedS, ""C:\Program Files\cFosSpeed\spd.exe" -service" ["cFos Software GmbH"]
IBService, IBService, "C:\Program Files\Invisible Browsing\servers\IBService.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
ProtexisLicensing, ProtexisLicensing, "C:\WINDOWS\system32\PSIService.exe" [null data]
Super Ad Blocker Service, SABSVC, ""C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE"" ["SuperAdBlocker.com"]
Tango Service, TangoService, "C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe" [null data]
TVT Scheduler, TVT Scheduler, ""C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V6 Monitor4SA\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]


---------- (launch time: 2007-11-11 08:06:47)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 108 seconds, including 28 seconds for message boxes)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:44 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Invisible Browsing\servers\IBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
C:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
C:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\Startup Faster 2004\sfAgent.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\oem\Application Data\Maxthon2\Maxthon.exe
C:\Program Files\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://java.sun.com/products/javawebstart/demos.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [StartupFaster] "C:\Program Files\Startup Faster 2004\StrpFstCfg.exe" -run SFAURUN SFCURUN SFAUSTARTUP SFCUSTARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBService - Unknown owner - C:\Program Files\Invisible Browsing\servers\IBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: System Update (SUService) - Unknown owner - c:\program files\lenovo\system update\suservice.exe (file missing)
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 12007 bytes

Edited by DarkNight, 10 November 2007 - 07:11 PM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 11 November 2007 - 05:06 AM

Download the free 30 day trial of Kaspersky Anti-Virus 7.0:
http://usa.kaspersky.com/downloads/trial-versions.php

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall AVG7 Antivirus,then restart your pc.

Now install Kaspersky Anti-Virus 7.0
Once installed update Kaspersky's virus definitions.
Disconnect from the internet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FCB2D18-2AC2-4135-8B85-80E76D8756D9}: NameServer = 85.255.114.92,85.255.112.112
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.92 85.255.112.112


Now do a full system virus scan with Kaspersky.
Let me know if Kaspersky detected and removed anything in your next reply.

Please download RKFiles:
http://skads.org/special/rkfiles.zip
Unzip the contents of RKfiles.zip to the desktop.
Double-click RKFiles.bat to run it.
It may take a while so please be patient.
When it is finished a window should appear with a log.
Please copy the contents of the log and paste them into your next reply.
Note:
The log with be saved at c:\log.txt

Also post a new Hijackthis log.

Edited by RichieUK, 11 November 2007 - 05:09 AM.

Posted Image
Posted Image

#15 DarkNight

DarkNight
  • Topic Starter

  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 12 November 2007 - 07:50 AM

Hi! :thumbsup:
Quick Question,why I need to remove AVG7?

Edited by DarkNight, 12 November 2007 - 07:51 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users