Worms and viruses - Help!

124

Comments

  • Pythagorous
    Pythagorous Posts: 755 Forumite
    Part of the Furniture 500 Posts Name Dropper Combo Breaker
    Thanks DCM. I used that the other day and it worked, but then the same problem came back today, so must be another underlying cause as well. I've just rerun the registry fix and it seems to have worked again. Hopefully it'll hold for a while longer this time.

    I'm going to delete all the red files Rik mentioned so hopefully that will help
  • Pythagorous
    Pythagorous Posts: 755 Forumite
    Part of the Furniture 500 Posts Name Dropper Combo Breaker
    Actually I managed to get the combofix working after doing the reg fix.

    This si the log output

    ComboFix 10-04-14.01 - Alan 15/04/2010 14:04:41.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1272 [GMT 1:00]
    Running from: c:\documents and settings\Alan\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Alan\My Documents\Downloads\CFScript.txt
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    FILE ::
    "c:\program files\achbn.exe"
    "c:\program files\Achieve.exe"
    "c:\program files\Achieve.exe.manifest"
    "c:\program files\AchieveHelp.chm"
    "c:\program files\APKeyboardReference.pdf"
    "c:\program files\AskBarDis\bar\bin\askBar.dll"
    "c:\program files\AskBarDis\bar\bin\AskService.exe"
    "c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe"
    "c:\program files\BICommon.dll"
    "c:\program files\Default.dat"
    "c:\program files\efxstd.DLL"
    "c:\program files\EPR.dll"
    "c:\program files\Infragistics.Win.Misc.v7.1.dll"
    "c:\program files\Infragistics.Win.UltraWinChart.v7.1.dll"
    "c:\program files\Infragistics.Win.UltraWinDataSource.v7.1.dll"
    "c:\program files\Infragistics.Win.UltraWinEditors.v7.1.dll"
    "c:\program files\Infragistics.Win.UltraWinPrintPreviewDialog. v7.1.dll"
    "c:\program files\Infragistics.Win.UltraWinTabControl.v7.1.dll"
    "c:\program files\Microsoft.Office.Interop.Outlook.dll"
    "c:\program files\MiniComm.DLL"
    "c:\program files\Office.dll"
    "c:\program files\Sample.ach"
    "c:\program files\SecurityManager.dll"
    "c:\program files\stdole.dll"
    "c:\program files\tx12.dll"
    "c:\program files\tx12_bmp.flt"
    "c:\program files\tx12_css.dll"
    "c:\program files\tx12_doc.dll"
    "c:\program files\tx12_gif.flt"
    "c:\program files\tx12_htm.dll"
    "c:\program files\tx12_ic.dll"
    "c:\program files\tx12_ic.ini"
    "c:\program files\tx12_jpg.flt"
    "c:\program files\tx12_pdf.dll"
    "c:\program files\tx12_png.flt"
    "c:\program files\tx12_rtf.dll"
    "c:\program files\tx12_tif.flt"
    "c:\program files\tx12_tls.dll"
    "c:\program files\tx12_wmf.flt"
    "c:\program files\tx12_wnd.dll"
    "c:\program files\tx12_xml.dll"
    "c:\program files\uis.exe"
    "c:\windows\system32\drivers\RevHDD.exe"
    "c:\windows\system32\drivers\SPIF225.sys"
    "c:\windows\system32\OOBE\oobebaln.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\achbn.exe
    c:\program files\Achieve.exe
    c:\program files\Achieve.exe.manifest
    c:\program files\AchieveHelp.chm
    c:\program files\APKeyboardReference.pdf
    c:\program files\AskBarDis\bar\bin\askBar.dll
    c:\program files\AskBarDis\bar\bin\AskService.exe
    c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
    c:\program files\BICommon.dll
    c:\program files\Default.dat
    c:\program files\efxstd.DLL
    c:\program files\EPR.dll
    c:\program files\Infragistics.Win.Misc.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinChart.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinDataSource.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinEditors.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinTabControl.v7.1.dll
    c:\program files\Microsoft.Office.Interop.Outlook.dll
    c:\program files\MiniComm.DLL
    c:\program files\Office.dll
    c:\program files\Sample.ach
    c:\program files\SecurityManager.dll
    c:\program files\stdole.dll
    c:\program files\tx12.dll
    c:\program files\tx12_bmp.flt
    c:\program files\tx12_css.dll
    c:\program files\tx12_doc.dll
    c:\program files\tx12_gif.flt
    c:\program files\tx12_htm.dll
    c:\program files\tx12_ic.dll
    c:\program files\tx12_ic.ini
    c:\program files\tx12_jpg.flt
    c:\program files\tx12_pdf.dll
    c:\program files\tx12_png.flt
    c:\program files\tx12_rtf.dll
    c:\program files\tx12_tif.flt
    c:\program files\tx12_tls.dll
    c:\program files\tx12_wmf.flt
    c:\program files\tx12_wnd.dll
    c:\program files\tx12_xml.dll
    c:\program files\uis.exe
    c:\windows\system32\drivers\RevHDD.exe
    c:\windows\system32\drivers\SPIF225.sys
    c:\windows\system32\OOBE\oobebaln.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    \Legacy_ASKService
    \Legacy_ASKUpgrade
    \Service_ASKService
    \Service_ASKUpgrade


    ((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
    .

    2010-04-14 08:13 . 2010-04-15 08:22
    d
    w- C:\Versalsoft
    2010-04-14 08:13 . 2010-04-14 08:13
    d
    w- c:\program files\Versalsoft
    2010-04-14 08:13 . 2010-04-14 08:13
    d
    w- c:\program files\Universal
    2010-04-13 20:01 . 2010-04-13 23:31
    d
    w- c:\documents and settings\Alan\Local Settings\Application Data\saolbvtie
    2010-04-10 14:54 . 2010-04-13 23:55
    d
    w- c:\program files\PeerBlock
    2010-04-08 11:32 . 2010-04-08 11:32
    d
    w- c:\windows\system\Iosubsys
    2010-04-07 19:54 . 2010-04-07 19:54
    d
    w- c:\program files\Trend Micro
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\documents and settings\Alan\Application Data\Malwarebytes
    2010-04-07 17:18 . 2010-03-29 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-07 17:18 . 2010-03-29 14:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 16:20 . 2010-04-02 16:20
    d
    w- c:\documents and settings\LocalService\Local Settings\Application Data\Xobni

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-15 13:17 . 2009-09-03 07:37
    d
    w- c:\documents and settings\Alan\Application Data\Dropbox
    2010-04-15 12:34 . 2010-02-15 19:15
    d
    w- c:\documents and settings\Alan\Application Data\PriceGong
    2010-04-13 23:55 . 2009-08-30 15:31
    d
    w- c:\documents and settings\Alan\Application Data\Azureus
    2010-04-13 22:44 . 2009-09-01 19:29
    d
    w- c:\documents and settings\Alan\Application Data\HPAppData
    2010-04-10 20:15 . 2009-12-26 11:54
    d
    w- c:\documents and settings\Alan\Application Data\vlc
    2010-04-08 10:44 . 2007-08-01 10:24
    d--h--w- c:\program files\InstallShield Installation Information
    2010-04-05 10:13 . 2009-11-22 10:09
    d
    w- c:\documents and settings\Alan\Application Data\TuneUpMedia
    2010-03-11 21:21 . 2007-08-01 10:19
    d
    w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-11 12:38 . 2007-08-01 08:21 832512
    w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2007-08-01 08:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2007-08-01 08:21 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-02-26 08:54 . 2009-10-12 12:16 91696 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\Uninstall.exe
    2010-02-26 08:53 . 2010-02-26 08:53 13264416 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
    2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\Dropbox.exe
    2010-02-25 14:14 . 2009-11-22 10:09
    d
    w- c:\program files\TuneUpMedia
    2010-02-19 22:24 . 2009-10-15 16:51
    d
    w- c:\documents and settings\Alan\Application Data\VSO
    2010-02-19 17:52 . 2010-02-19 17:52
    d
    w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-02-19 17:51 . 2010-02-19 17:51
    d
    w- c:\documents and settings\Alan\Application Data\Office Genuine Advantage
    2010-02-15 19:21 . 2010-02-15 19:21
    d
    w- c:\documents and settings\All Users\Application Data\Winferno
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\Xobni
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\Winferno
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\PriceGong
    2010-02-12 10:03 . 2010-03-07 14:17 293376
    w- c:\windows\system32\browserchoice.exe
    2009-10-14 15:12 . 2009-10-14 15:12 1372952 ----a-w- c:\program files\APUserManual.pdf
    2009-10-14 14:39 . 2009-10-14 14:39 8412 ----a-w- c:\program files\APQuickStart.pdf
    2007-11-28 09:49 . 2007-11-28 09:49 159744 ----a-w- c:\program files\Infragistics.Win.UltraWinPrintPreviewDialog.v7.1.dll
    2006-02-10 12:02 . 2006-02-10 12:02 274432 ----a-w- c:\program files\TXTextControl.dll
    2005-05-31 14:27 . 2005-05-31 14:27 503808 ----a-w- c:\program files\ActiproSoftware.UIStudio.Dock.dll
    2005-05-31 14:27 . 2005-05-31 14:27 176128 ----a-w- c:\program files\ActiproSoftware.Shared.dll
    2005-05-31 14:27 . 2005-05-31 14:27 147456 ----a-w- c:\program files\ActiproSoftware.WinUICore.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D3F3F3A-0E4B-4085-9032-7D072072319A}]
    2010-01-25 12:38 99704 ----a-w- c:\program files\PriceGong\2.0.0\PriceLoadIE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-08 39408]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CFSServ.exe"="CFSServ.exe -NoClient" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-01 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-01 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-01 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
    "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2007-07-06 651264]
    "HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
    "SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 65536]
    "TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2007-06-01 53248]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-12-27 73728]
    "TPSMain"="TPSMain.exe" [2005-08-11 266240]
    "Zooming"="ZoomingHook.exe" [2005-06-06 24576]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-07-28 671376]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "InternetDownload_upgrade"="c:\program files\Versalsoft\InternetDownload\InternetDownload.exe" [2010-03-09 394752]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    c:\documents and settings\Alan\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Alan\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\O2\\bin\\wificfg.exe"=
    "c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
    "c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
    "c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=

    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
    R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [12/10/2009 17:33 46824]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 19:29 102448]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 00:44 135664]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/01/2008 18:32 23888]
    S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/04/2010 15:54 14424]
    S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys --> c:\windows\system32\DRIVERS\TpChoice.sys [?]
    S4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [08/01/2010 01:51 380928]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:44]

    2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:44]

    2010-04-15 c:\windows\Tasks\RegPowerClean.job
    - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2010-02-15 14:48]

    2010-04-15 c:\windows\Tasks\RPCReminder.job
    - c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2010-02-15 14:34]
    .
    .
    Supplementary Scan
    .
    uStart Page = https://....
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: Download by Versalsoft Internet Download - c:\program files\Versalsoft\InternetDownload\adddownload.htm
    Trusted Zone: acumen-resources.com\mail
    Trusted Zone: qword.com
    FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\ofv3nlgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.abc.co.uk
    FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll
    FF - component: c:\program files\PriceGong\2.0.0\FF\components\PriceLoadFF.dll
    FF - plugin: c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\ofv3nlgg.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Alan\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-15 14:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'explorer.exe'(6020)
    c:\windows\system32\WININET.dll
    c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
    c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll
    c:\windows\system32\TDispVol.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\TPwrCfg.DLL
    c:\windows\system32\TPwrReg.dll
    c:\windows\system32\TPSTrace.DLL
    .
    Other Running Processes
    .
    c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\TDispVol.exe
    c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    c:\windows\system32\TPSMain.exe
    c:\windows\system32\ZoomingHook.exe
    c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
    c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    c:\windows\system32\TPSBattM.exe
    c:\program files\Apoint2K\Apntex.exe
    c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-15 14:21:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-15 13:21
    ComboFix2.txt 2010-04-14 07:38

    Pre-Run: 106,915,188,736 bytes free
    Post-Run: 106,792,722,432 bytes free

    - - End Of File - - F4FB3FAABB6AAD500DEBDAA6A1E79486
  • closed
    closed Posts: 10,886 Forumite
    What is the model of the pc, if it didn't come with a disc, it may have a restore partition
    !!
    > . !!!! ----> .
  • Pythagorous
    Pythagorous Posts: 755 Forumite
    Part of the Furniture 500 Posts Name Dropper Combo Breaker
    closed wrote: »
    What is the model of the pc, if it didn't come with a disc, it may have a restore partition

    Toshiba Satellite pro. It did come with a disk, but i think ive lost it :(
  • closed
    closed Posts: 10,886 Forumite
    You don't say which model, if you look in the manual, or download it from Toshiba, it should tell you the recovery to factory state options (if they are there), or you could try booting holding down the zero key, or F8 or F12 to see if you get any restore to factory state options, or borrow an XP disc .

    After ensuring you have your data backed up.
    !!
    > . !!!! ----> .
  • Pythagorous
    Pythagorous Posts: 755 Forumite
    Part of the Furniture 500 Posts Name Dropper Combo Breaker
    closed wrote: »
    You don't say which model, if you look in the manual, or download it from Toshiba, it should tell you the recovery to factory state options (if they are there), or you could try booting holding down the zero key, or F8 or F12 to see if you get any restore to factory state options, or borrow an XP disc .

    After ensuring you have your data backed up.

    Sorry Sat Pro A200

    Thaks for the advice
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Logs not looking bad actually

    if you can, a factory reset is definitely the way to go (Simply reboot and see if the options there before windows loads)

    As it stands, id be running a few more scanners to see how things are ~

    Download SUPERANTISPYWARE (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_superantispyware/
    UPDATE and PERFORM COMPLETE SCAN
    (Then goto console and LOGS and post the log it created then untick it from STARTING UP WITH WINDOWS)

    ....................................................................

    Download and run the FREE version of DR WEB
    http://www.freedrweb.com/download+cureit/gr/
    Turn your anti virus OFF
    Click CANCEL to the 'Would you like to read purchase terms now?' message
    Click START click OK
    It will auto QUICK scan
    After that set to scan the WHOLE computer and press the 'play' icon
    ***DO NOT UPGRADE TO FULL VERSION***

    ..........................................................................

    Then give the system a clean ~

    Download CCLEANER (When installing UNTICK 'Add ccleaner YAHOO TOOLBAR...')
    http://www.piriform.com/ccleaner/download/standard
    Run the CLEANER scan (UNTICK 'cookies')
    Then run the REGISTRY scan (Backup the registry when it asks)
    reboot
    Download GLARY UTILITIES
    http://www.glaryutilities.com/download/gusetup_slim.exe
    Run the ONE CLICK scan
    Goto MODULES / SYSTEM TOOLS / WINDOWS STANDARD TOOLS / then run SYSTEM FILE CHECKER
    :idea:
  • debitcardmayhem
    debitcardmayhem Posts: 12,507 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Thanks DCM. I used that the other day and it worked, but then the same problem came back today, so must be another underlying cause as well. I've just rerun the registry fix and it seems to have worked again. Hopefully it'll hold for a while longer this time.

    I'm going to delete all the red files Rik mentioned so hopefully that will help

    Glad that helped if the reg fix works and now .exe starts working again
    I will repost the bits again again here for anyone else who has the problem of "open with" for notepad and other programs like IE/Firefox/MBAM/etc

    copy the code below and paste it into notepad (and if running notepad it say's "open with" select notepad you will get garbage in the window, don't worry select file new then paste it) then save as xxx.reg and then exit, then right click on it xxx.reg and merge in to the registry
    Windows Registry Editor Version 5.00
    
    [-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
    
    [-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
    
    [-HKEY_CLASSES_ROOT\.exe\shell\open\command]
    
    [HKEY_CLASSES_ROOT\.exe]
    &#64;="exefile"
    "Content Type"="application/x-msdownload"
    
    [-HKEY_CLASSES_ROOT\secfile]
    
    Then hopefully all .exe files will start working again. Many thanks to the guys at bleepingcomputer.com for the source.
    4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 + Octopus Intelligent Flux leccy
  • cistolic
    cistolic Posts: 2,893 Forumite
    Hope I'm not intruding on someone elses problem but am trying unsuccessfully to help sister by phone. (were over 60 so not too computer savvy) She has the Anvi virus tried an automatic removal tool online and it is still there. Is there an automatic tool that will help please or an idiots version to do manually.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    cistolic wrote: »
    Hope I'm not intruding on someone elses problem but am trying unsuccessfully to help sister by phone. (were over 60 so not too computer savvy) She has the Anvi virus tried an automatic removal tool online and it is still there. Is there an automatic tool that will help please or an idiots version to do manually.

    get her to join this site (Youll have to post the logs)

    Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_malwarebytes_anti_malware/
    Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
    Remove everything thats found (needs to be ticked)
    Post the COMPLETE log in a new thread AFTER youve deleted everything it finds
    If anything was found then do the exact same but run a FULL scan


    reboot

    Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_hijackthis/
    Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log in a new thread so we can see whats running
    (do NOT do anything else with Hijack but scan and post the FULL log)
    If you get a message that you cant write to the hosts file then Press the SHIFT key, and whilst holding it RIGHT CLICK and select RUN AS (admin)
    :idea:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 349.8K Banking & Borrowing
  • 252.6K Reduce Debt & Boost Income
  • 453K Spending & Discounts
  • 242.8K Work, Benefits & Business
  • 619.6K Mortgages, Homes & Bills
  • 176.4K Life & Family
  • 255.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.