Hi there good people at afterdawn, i will first state that im not a user, i intend to use these forums after my problem gets fixed, (if it does that is!), id really appreciate your help, my picture files wont open - im an art student, and it could make my life really more difficult than it needs to be! The desktop has a lovely warning error on it WARNING SPYWARE yadayada with that wonderful shade of blue for a background. Ive got the full versions of spyware doctor and avg, but theyre both sitting on their arses doing nothing. I've read through similar threads and run a scan with malwarebytes and Hijack this, here are the results, im sorry that im a pwnzornub, i really dont know what it means... i do art! The most useless subject in the world! Hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:33:55, on 14/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\dlcccoms.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\SYSTEM32\NOTEPAD.EXE C:\Documents and Settings\paul\Desktop\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://newsbox.msn.co.uk/article.as...ortlive&ks=0&mc=5&ml=ma&lc=en&ae=windows-1252 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [in3] C:\Documents and Settings\paul\Local Settings\Temp\.tt56.tmp.exe /CR=307BEBA325D52EB8A94C42FEB9609D730311B3CA8C6CDC3848744971FC44A14EBF489CB9D2EE815E83464D0BAFBBC07FD594A9E2A0A1DE7701EA78A05D75154913EDE111980F3369E4213DBB3B21199A2509D32B O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 7060 bytes Malwarebytes results Malwarebytes' Anti-Malware 1.28 Database version: 1147 Windows 5.1.2600 Service Pack 3 14/09/2008 10:49:30 mbam-log-2008-09-14 (10-49-24).txt Scan type: Full Scan (C:\|) Objects scanned: 155190 Time elapsed: 1 hour(s), 8 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 7 Registry Values Infected: 22 Registry Data Items Infected: 15 Folders Infected: 2 Files Infected: 15 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{427b1fd8-2123-4334-a7d8-7a497363914b} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{51d81dd5-55b7-497f-95db-d356429bb54e} (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Web Application (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken. HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc35vj0eje7 (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> No action taken. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> No action taken. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> No action taken. Folders Infected: C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\158117 (Trojan.BHO) -> No action taken. Files Infected: C:\Program Files\Microsoft Security Adviser\msctrl.log (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\mssadv.log (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\mssadv_sp.log (Trojan.Downloader) -> No action taken. C:\0xf9.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\blphc35vj0eje7.scr (Trojan.FakeAlert) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt15.tmp (Trojan.Agent) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.tt9.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken. C:\Documents and Settings\paul\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken. It would be most appreciated if somebody could help me, i dont know what i can offer in return for your help? Owilde
@Owilde, The fake blue screen alert should have been removed by MalwareBytes’ AntiMalware. Let’s dig a little deeper: 1. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. • Under Main "Select Files to Delete" choose: Select All. • Click the Empty Selected button. • If you use Firefox browser click Firefox at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • If you use Opera browser click Opera at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • Click Exit on the Main menu to close the program. 2. Fix entries using HiJackThis Launch HiJackThis Click the Do a system scan only button Put a check next to the entries listed below (if they still remain) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [in3] C:\Documents and Settings\paul\Local Settings\Temp\.tt56.tmp.exe /CR=307BEBA325D52EB8A94C42FEB9609D730311B3CA8C6CDC3848744971FC44A14EBF489CB9D2EE 815E83464D0BAFBBC07FD594A9E2A0A1DE7701EA78A05D75154913EDE111980F3369E4213DBB3B21 199A2509D32B IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now Click the Fix checked button and close HiJackThis 3. Download Combo fix from one of these locations. * IMPORTANT !!! Place combofix.exe on your Desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK. Combo will begin to run DO NOTHING while this is happening. • It will kill a few processes and disconnect you from the internet. • If by chance it stops prematurely you can re-establish your internet connection by restarting your computer. • This needs to be done so the program can work most efficiently for you. Do not attempt to use the internet or anything else while it's doing its job for you. If when it's completed you can not get on the internet just reboot the computer Post the log from comboFix for me located in c:\comboFix.txt I would also suggest running sfc scannow in case some system files have been corrupted. To repair your system you will need to run SFC /scannow For instructions go to: http://www.updatexp.com/scannow-sfc.html and http://www.bleepingcomputer.com/forums/topic43051.html Post back with the ComboFix Log, a fresh HJT log and let me know how everything is acting? 2OG
Hi there, thanks very much for the help. Ive completed your instructions up to the combofix part, i copied the command into run and a little combofix box came up with green bars in it, the process lasted about 10seconds, after that the computer didnt appear to be doing anything - is that combofix doing it's thing? (and if so, i should get off the internet?) awaiting further instructions Thanks alot man Owilde
Just as an update, i was updating my ATI video card drivers in preparation for a new game patch. All went well, except that the taskbar is now frozen, (i cant get past start) im not sure if this was the cause, i can only assume it is. Expletives. My apologies for being such a tart.
@Owilde, Were you ever able to run ComboFix? Did you run SFC /scannow ?? I can’t see what’s going on so it’s just a guess at best.. You might try doing a System Restore to a point before you installed the drivers and before you were having problems.… 2OG
Hi, What happened when i tried to run combofix: a tiny little box came up as though it were doing something, the green bars got to the end (as if to say something was complete) in about 10 seconds, then nothing. No log appeared, the combofix box disappeared and that was it. Isit meant to only take that long? i looked for a log but couldnt find one it may be handy to know that spyware doctor blocked a trojan-pws.bancos. when the little combofix disappeared. I managed to solve the frozen taskbar problem by system restore also, thanks (the game runs much better too!) Im sorry to be such a pain in the @rse, your help is truly appreciated
@Owilde, ComboFix should take at least 10 minutes, more if youre badly infected. Delete the copy from your desktop and try re-downloading and running using the following method: Right click the ComboFix icon and choose delete. Now: Download ComboFix from Here Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". • Double click combofix.exe and follow the prompts. • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall. Try this and see if we can get a Log… 2OG
It worked! Here they are... ComboFix 08-09-15.01 - paul 2008-09-15 21:19:28.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1572 [GMT 1:00] Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\paul\LOCALS~1\Temp\tmp1.tmp C:\DOCUME~1\paul\LOCALS~1\Temp\tmp2.tmp . ((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 ))))))))))))))))))))))))))))))) . 2008-09-15 10:16 . 2008-09-15 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI 2008-09-15 10:15 . 2008-09-15 10:15 0 --a------ C:\WINDOWS\ativpsrm.bin 2008-09-15 10:13 . 2008-09-15 10:22 <DIR> d-------- C:\Program Files\ATI 2008-09-15 10:11 . 2008-09-15 10:12 <DIR> d-------- C:\Program Files\ATI Technologies 2008-09-15 10:11 . 2008-07-31 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe 2008-09-15 10:11 . 2008-05-15 02:25 106,496 --a------ C:\WINDOWS\system32\atinppt2.ax 2008-09-15 10:10 . 2008-09-15 10:10 <DIR> d-------- C:\ATI 2008-09-15 09:58 . 2008-09-15 09:58 10 --a------ C:\WINDOWS\WININIT.INI 2008-09-15 09:04 . 2008-09-15 20:51 <DIR> d-------- C:\327882R2FWJFW 2008-09-14 09:38 . 2008-09-14 10:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-14 09:38 . 2008-09-14 09:38 <DIR> d-------- C:\Documents and Settings\paul\Application Data\Malwarebytes 2008-09-14 09:38 . 2008-09-14 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-14 09:38 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-14 09:38 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-13 15:17 . 2008-09-13 15:17 <DIR> d-------- C:\VundoFix Backups 2008-09-08 19:42 . 2008-09-08 19:42 <DIR> d-------- C:\Documents and Settings\paul\Application Data\XRay Engine 2008-09-05 11:06 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll 2008-09-05 11:06 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll 2008-09-05 11:06 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll 2008-09-05 11:06 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll 2008-09-05 11:06 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll 2008-09-05 11:06 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll 2008-09-05 11:06 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll 2008-09-05 11:06 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll 2008-09-05 11:00 . 2008-09-05 11:00 <DIR> d-------- C:\WINDOWS\Logs 2008-09-05 10:53 . 2008-09-05 10:53 <DIR> d-------- C:\Program Files\Deep Silver 2008-08-29 10:52 . 2008-08-29 10:52 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-08-29 10:52 . 2008-08-29 10:52 <DIR> d-------- C:\WINDOWS\system32\en 2008-08-29 10:52 . 2008-08-29 10:52 <DIR> d-------- C:\WINDOWS\system32\bits 2008-08-29 10:52 . 2008-08-29 10:52 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-29 10:49 . 2008-08-29 10:53 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-08-29 10:41 . 2008-08-29 10:41 <DIR> d-------- C:\WINDOWS\EHome 2008-08-18 13:22 . 2008-08-18 13:22 <DIR> d-------- C:\Program Files\Common Files\DirectX 2008-08-18 13:10 . 2008-08-18 13:10 <DIR> d-------- C:\Program Files\Codemasters 2008-08-15 16:51 . 2008-08-15 16:54 <DIR> d-------- C:\Documents and Settings\paul\Application Data\AdobeUM . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-15 20:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-15 20:13 --------- d-----w C:\Program Files\Spyware Doctor 2008-09-15 09:16 --------- d-----w C:\Documents and Settings\paul\Application Data\ATI 2008-09-15 09:12 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-15 09:06 --------- d-----w C:\Program Files\Common Files\ATI Technologies 2008-09-14 17:30 139,128 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-09-14 17:30 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-09-13 14:03 --------- d-----w C:\Program Files\Java 2008-09-13 13:51 --------- d-----w C:\Documents and Settings\paul\Application Data\AVG7 2008-09-05 10:07 279,712 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys 2008-09-05 10:07 25,888 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys 2008-09-03 23:18 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition 2008-09-03 11:06 --------- d-----w C:\Documents and Settings\paul\Application Data\Bioshock 2008-08-29 11:15 --------- d-----w C:\Program Files\MSN Messenger 2008-08-26 15:43 --------- d-----w C:\Program Files\FireWarrior 2008-08-26 15:37 724,992 ----a-w C:\WINDOWS\iun6002.exe 2008-08-26 11:50 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-08-22 09:44 --------- d-----w C:\Program Files\dl_Cats 2008-08-05 08:52 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys 2008-08-02 16:14 --------- d-----w C:\Program Files\Arben The Talent 2008-08-02 14:36 --------- d-----w C:\Program Files\Ubisoft 2008-08-01 06:38 3,266,560 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2008-08-01 05:40 9,928,704 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-08-01 04:58 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-08-01 04:33 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-08-01 04:32 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-08-01 04:23 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-08-01 04:23 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-08-01 04:22 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-08-01 04:22 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-08-01 04:22 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-08-01 04:21 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-08-01 04:19 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-08-01 04:10 3,917,568 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-08-01 03:59 2,183,552 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-08-01 03:46 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-08-01 03:42 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-08-01 03:40 35,328 ----a-w C:\WINDOWS\system32\atiadlxx.dll 2008-08-01 03:40 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-08-01 03:39 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2008-08-01 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-08-01 03:34 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-26 20:10 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll 2008-06-24 17:12 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-17 23:15 10,310 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg 2007-11-24 16:34 22,328 ----a-w C:\Documents and Settings\paul\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-29 352256] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-10 77824] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-10 185896] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "DLCCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-14 579584] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440] "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.XFR1"= xfcodec.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"= "C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"= "C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"= "C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"= "C:\\WINDOWS\\system32\\dlcccoms.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"= "C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"= "C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"= "C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"= "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"= "C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"= "C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"= "C:\\Program Files\\Codemasters\\Overlord\\Overlord.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDUOMP.exe"= "C:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"= "C:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"= R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-08-05 160792] R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 176128] S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 514155] S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 11048] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\paul\Application Data\Mozilla\Firefox\Profiles\aygyjwf3.default\ . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-15 21:23:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... ************************************************************************** . Completion time: 2008-09-15 21:25:15 ComboFix-quarantined-files.txt 2008-09-15 20:24:12 Pre-Run: 96,624,193,536 bytes free Post-Run: 98,268,790,784 bytes free 208 --- E O F --- 2008-09-12 00:01:18 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:27:10, on 15/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\dlcccoms.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\paul\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://newsbox.msn.co.uk/article.as...ortlive&ks=0&mc=5&ml=ma&lc=en&ae=windows-1252 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe -- End of file - 6371 bytes Thankyou 2og, im going to sing your praises upon a hilltop!
Oh my jesus! I can now view my pictures again! I want to weep tears of joy! You have saved my ********, i wish to repay you, ive seen the many other threads in which you've saved a virtual stranger from the insanity of a computer thats gone up ****creek. Its weird, because spyware doctor and AVG (both licensed versions) seemed to have served me well in the past, perhaps it was their day off? Is there anything i can do in return for your extreme kindness? Am i out of the red? Thankyou 2og
@Owilde, Let’s not get TOO carried away. Your HJT Log looks Clean. It will take me a while to go through the ComboFix Log but I’ll get back as soon as I can and we'll just see if there is anything else that needs evicting. Hang in there. 2OG
Congratulations Owilde, your log now looks CLEAN Things to do: Install a firewall – see below. Change your Antivirus – AVG7 is out of date, now there is AVG8 but I don’t like it – see below. . Here are a few other things you must do once you are completely clean: 1. Time for some housekeeping Please download the OTMoveIt2 by OldTimer • Save it to your desktop. • Run the tool by clicking on the icon. • Click the Cleanup button. • The tools that we used as well as this one will be removed from your system. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. • Under Main "Select Files to Delete" choose: Select All. • Click the Empty Selected button. • If you use Firefox browser click Firefox at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • If you use Opera browser click Opera at the top and choose: Select All • Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. • Click Exit on the Main menu to close the program. 3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: • Go to Start > Programs > Accessories > System Tools and click "System Restore". • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. • Then go to Start > Run and type: Cleanmgr • Click "OK" Select the drive you want to clean usually C: Click OK When it completes the scan: • Click the "More Options" Tab. • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. 4. Defragment your Hard Drive 1.Open My Computer. 2.Right-click the local disk volume that you want to defragment, and then click Properties. 3.On the Tools tab, click Defragment Now. 4.Click Defragment. And here are some tips to reduce the potential for spyware infection in the future: It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are: Comodo Pro Free for the geeks and ZoneAlarm Free for the novice AntiVirus – Avira AntiVir for everyone – the free version has Nag screens but they can be stopped by googling avira antivir nag disable (I didn’t say that.) – This is the best of the free AV’s and better than most of the paid. I like it better than any AV that I’ve tried/tested, Free or Paid. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections. In order to prevent the installation of Trojans and Malware on your machine: Download and install: Comodo BOClean Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 60,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode. • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Enjoy your clean computer. Any questions? 2OG
Hey man everything is in working order, im going to defragment tomorrow, ive got to hit the hay for now. Thankyou infinitely i do indeed have questions is this your job? are you paid to do it? what can i do in return for your selfless heroism? all hail master of the spywares! Owilde
