[evilfantasy]

Reboot and try again.

If you can not get it to install the move to the HijackThis instructions.

[gizmo]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:15:32, on 30/09/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender
Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update
Service\livesrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan
Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\Analyze.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.orange.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
- (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iKeyWorks]
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MailChacker.exe] C:\MailChk\MailChecker.exe -r
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [w] %SystemRoot%\WinRaR.exe
O4 - HKCU\..\Policies\Explorer\Run: [wm] %SystemRoot%\winlogor.exe
O4 - HKCU\..\Policies\Explorer\Run: [wl] %SystemRoot%\intent.exe
O4 - HKCU\..\Policies\Explorer\Run: [mm] %SystemRoot%\sourro.exe
O4 - HKCU\..\Policies\Explorer\Run: [zx] %SystemRoot%\winadr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...fo.apple.com/m
ickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8F63DB01-41FE-437E-9E43-2C1A716CC315}
(pNetbreeze.netbreeze) -
http://www.netbreeze.co.uk/registrat...pNetbreeze.cab
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner -
C:\Program Files\Common Files\Softwin\BitDefender Scan
Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) -
SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender
Update Service\livesrv.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. -
C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L -
C:\Program Files\Common Files\Softwin\BitDefender
Communicator\xcommsvr.exe
--
End of file - 5298 bytes

[gizmo]

ive done hijack this and ive copyed and pasted the results onto a post but it said someones gotta check it first or summin like that so it will probs come on in a mo

[evilfantasy]

You could not get Spybot to run?

Try again and let me know.

[gizmo]

Quote:

Originally Posted by evilfantasy

You could not get Spybot to run?

Try again and let me know.

kk i will rebbot and try spybot, by the way that is my hijack this log above

[gizmo]

I think were gonna have to leave spybot as it still won't work!

[evilfantasy]

OK lets try this.

1. Please download Combofix by sUBs. Place it on your Desktop. combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

[gizmo]

Ok i have done that here is the log:

ComboFix 07-09-21.2 - "Owner" 2007-09-30 22:06:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.259 [GMT 1:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\RECYCLER\RB5.tmp
C:\WINDOWS\rising190.exe
C:\WINDOWS\rising52.exe
C:\WINDOWS\rising555.exe
C:\WINDOWS\rising639.exe
C:\WINDOWS\rising756.exe
C:\WINDOWS\rising973.exe
.
((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.
2007-09-30 22:04 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 21:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 20:33 <DIR> d-------- C:\Program Files\CCleaner
2007-09-30 20:26 32,768 --a------ C:\WINDOWS\dbhelp.dll
2007-09-20 22:08 71,320 --a------ C:\WINDOWS\WinRaR.exe
2007-08-20 18:35 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2007-08-20 18:35 <DIR> d-------- C:\Program Files\Paul's Blackjack
2007-08-20 18:14 <DIR> d-------- C:\Program Files\Free Spider
2007-08-20 18:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Free Spider TreeCardGames
2007-08-05 22:58 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-08-05 22:53 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Bitdefender
2007-08-05 22:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-30 20:23 --------- d-------- C:\Program Files\BitComet
2007-09-27 18:48 --------- d-------- C:\Program Files\Lx_cats
2007-08-05 21:27 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 21:27 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Virgin Broadband
2007-08-05 21:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Virgin Broadband
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 12:12 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\i suspm.exe" [2004-06-16 07:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 07:03]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain. exe" [2003-07-29 05:31]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe " [2002-10-08 11:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 12:00]
"MailChacker.exe"="C:\MailChk\MailChecker.exe" [2002-09-11 03:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2003-10-29 17:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 20:42:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoInstrumentation"=1 (0x1)
"NoStartMenuSubFolders"=1 (0x1)
"NoFavoritesMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SpySweeper"=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\System32\DRIVERS\bsstor.sys
R1 bdftdif;BitDefender Firewall TDI Filter;\??\C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\System32\DRIVERS\bdfndisf.sys
R3 Intels51;Intel(R) 536EP V.92 Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\System32\DRIVERS\Amps2prt.sys
S3 cportclm;cportclm;\??\C:\DOCUME~1\Owner\LOCALS~1\T emp\cportclm.sys
S3 GT680x;GrandTechICNameNT;C:\WINDOWS\System32\Drive rs\gt680x.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\System32\drivers\BsUDF.sys
*Newly Created Service* - CATCHME
.
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 22:10:00
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-09-30 22:11:36
C:\ComboFix-quarantined-files.txt ... 2007-09-30 22:11
.
--- E O F ---

[evilfantasy]

OK, try to run Spybot again. If it runs let it fix what it finds.

Either way I need a FRESH HijackThis log.

[gizmo]

nope spybot wont work but heres a fresh hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:33:35, on 30/09/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Analyze.exe\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MailChacker.exe] C:\MailChk\MailChecker.exe -r
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [w] %SystemRoot%\WinRaR.exe
O4 - HKCU\..\Policies\Explorer\Run: [mm] %SystemRoot%\sourro.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {8F63DB01-41FE-437E-9E43-2C1A716CC315} (pNetbreeze.netbreeze) - http://www.netbreeze.co.uk/registrat...pNetbreeze.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
--
End of file - 5131 bytes