Worms and viruses - Help!

245

Comments

  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    First Anniversary Combo Breaker
    Uninstall the ASK TOOLBAR (also known as ASK BAR DIS)
    and the PDFFORGE TOOLBAR (if possible)

    TICK and FIX these (Some shouldnt be there so long as the aboves uninstalled so dont worry if theyre not) ~
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.XXXXXcom/Remote/tsweb.a...edirectAudio=2
    R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
    O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = XXXXX ***ALL OF THEM***
    O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

    reboot

    Hows it running now?
    :idea:
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    Thanks Alienrik. Have only just seen your reply. I seem to have issues with disappearing programs etc as per my other thread here :-(

    http://forums.moneysavingexpert.com/showthread.html?p=31831203&posted=1#post31831203
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    Actually looks like I'm still screwed with viruses. Before I had a chance to go in and make the changes Alienrik suggested I've started getting windows security alerts popping up left right and centre. The Antivirus suit then scans and shows lots of critical status malwares, my malwarebytes program that was previously installed seems to have disappeared and when I go into IE I can't get past a page that says "Internet Explorer warning - visiting this website may harm your computer. The only other page I can go to is a page asking me to purchase the antivirus suite software that is showing the malware in the scan.

    Where the eck do i go from here?

    Please help!!

    PS I'm typing this from my trusty mac :)
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    As an update I rebooted and although the laptop now doesn't have the virus messages popping up I can't seem to get IE to load any pages. It is showing as being connected to the internet, but I now just get a completely blank white page as it constantly tries to connect.

    Anyone please able to help?
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    First Anniversary Combo Breaker
    Does firefox work?

    If so ~

    Please run COMBOFIX
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Shut down your anti virus
    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download

    .............................................................


    Here’s how you can disable all addons/extensions and run IE 7 or even IE 8 without them:

    * Go to Start > Run
    * Type iexplore -extoff
    * Press Enter


    Run Firefox Without Extensions

    Similarly, if you’re having any problems with Firefox, you could disable addons and run it in safe mode. Here’s how:

    * Go to the Run dialog by going to Start > Run
    * Type firefox -safe-mode
    * A window will popup asking things that you want to disable or reset (eg: reset/disable bookmarks/toolbars, etc.)
    * Give the right choices, and press ‘Restart’ for the changes to take effect
    :idea:
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    edited 14 April 2010 at 9:07AM
    Hi AlienRik,

    Here is the combo report. I somehow managed to get firefox and IE to work again.

    ComboFix 10-04-13.02 - Alan 14/04/2010 8:31.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1289 [GMT 1:00]
    Running from: c:\documents and settings\Alan\My Documents\Downloads\ComboFix.exe
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Alan\Application Data\.#\MBX@113C@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@113C@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@113C@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@11D8@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@11D8@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@11D8@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1210@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1210@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1210@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1270@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1270@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1270@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@12D0@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@12D0@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@12D0@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@13A0@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@13A0@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@13A0@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1538@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1538@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1538@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@157C@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@157C@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@157C@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@15D8@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@15D8@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@15D8@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1770@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1770@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@1770@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@554@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@554@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@554@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@860@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@860@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@860@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@8C0@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@8C0@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@8C0@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9AC@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9AC@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9AC@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9F0@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9F0@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@9F0@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@BDC@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@BDC@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@BDC@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@C90@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@C90@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@C90@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@CF0@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@CF0@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@CF0@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DDC@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DDC@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DDC@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DE4@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DE4@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@DE4@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F0@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F0@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F0@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F48@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F48@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F48@394220.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F78@394180.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F78@3941B0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@F78@3941E0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@FE8@3941C0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@FE8@3941F0.###
    c:\documents and settings\Alan\Application Data\.#\MBX@FE8@394220.###


    .
    ((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 )))))))))))))))))))))))))))))))
    .

    2010-04-13 20:01 . 2010-04-13 23:31
    d
    w- c:\documents and settings\Alan\Local Settings\Application Data\saolbvtie
    2010-04-10 14:54 . 2010-04-13 23:55
    d
    w- c:\program files\PeerBlock
    2010-04-08 11:32 . 2010-04-08 11:32
    d
    w- c:\windows\system\Iosubsys
    2010-04-08 11:32 . 2006-11-03 10:01 212992 ----a-r- c:\windows\system32\drivers\RevHDD.exe
    2010-04-08 11:32 . 2006-10-12 13:53 17828 ----a-r- c:\windows\system32\drivers\SPIF225.sys
    2010-04-07 19:54 . 2010-04-07 19:54
    d
    w- c:\program files\Trend Micro
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\documents and settings\Alan\Application Data\Malwarebytes
    2010-04-07 17:18 . 2010-03-29 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-07 17:18 . 2010-04-07 17:18
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-07 17:18 . 2010-03-29 14:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 16:20 . 2010-04-02 16:20
    d
    w- c:\documents and settings\LocalService\Local Settings\Application Data\Xobni

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-14 07:22 . 2010-02-15 19:15
    d
    w- c:\documents and settings\Alan\Application Data\PriceGong
    2010-04-14 07:21 . 2009-09-03 07:37
    d
    w- c:\documents and settings\Alan\Application Data\Dropbox
    2010-04-13 23:55 . 2009-08-30 15:31
    d
    w- c:\documents and settings\Alan\Application Data\Azureus
    2010-04-13 22:44 . 2009-09-01 19:29
    d
    w- c:\documents and settings\Alan\Application Data\HPAppData
    2010-04-10 20:15 . 2009-12-26 11:54
    d
    w- c:\documents and settings\Alan\Application Data\vlc
    2010-04-08 10:44 . 2007-08-01 10:24
    d--h--w- c:\program files\InstallShield Installation Information
    2010-04-05 10:13 . 2009-11-22 10:09
    d
    w- c:\documents and settings\Alan\Application Data\TuneUpMedia
    2010-03-11 21:21 . 2007-08-01 10:19
    d
    w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-11 12:38 . 2007-08-01 08:21 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2007-08-01 08:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2007-08-01 08:21 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-02-26 08:54 . 2009-10-12 12:16 91696 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\Uninstall.exe
    2010-02-26 08:53 . 2010-02-26 08:53 13264416 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
    2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\Dropbox.exe
    2010-02-25 14:14 . 2009-11-22 10:09
    d
    w- c:\program files\TuneUpMedia
    2010-02-19 22:24 . 2009-10-15 16:51
    d
    w- c:\documents and settings\Alan\Application Data\VSO
    2010-02-19 17:52 . 2010-02-19 17:52
    d
    w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2010-02-19 17:51 . 2010-02-19 17:51
    d
    w- c:\documents and settings\Alan\Application Data\Office Genuine Advantage
    2010-02-15 19:21 . 2010-02-15 19:21
    d
    w- c:\documents and settings\All Users\Application Data\Winferno
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\Xobni
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\Winferno
    2010-02-15 19:15 . 2010-02-15 19:15
    d
    w- c:\program files\PriceGong
    2010-02-12 10:03 . 2010-03-07 14:17 293376
    w- c:\windows\system32\browserchoice.exe
    2009-10-14 15:12 . 2009-10-14 15:12 1372952 ----a-w- c:\program files\APUserManual.pdf
    2009-10-14 14:39 . 2009-10-14 14:39 8412 ----a-w- c:\program files\APQuickStart.pdf
    2009-10-13 12:23 . 2009-10-13 12:23 7266304 ----a-w- c:\program files\Achieve.exe
    2009-10-13 12:23 . 2009-10-13 12:23 1298432 ----a-w- c:\program files\efxstd.DLL
    2009-10-12 12:28 . 2009-10-12 12:28 265259 ----a-w- c:\program files\AchieveHelp.chm
    2008-12-09 10:24 . 2008-12-09 10:24 87713 ----a-w- c:\program files\Default.dat
    2008-10-29 09:23 . 2008-10-29 09:23 11611 ----a-w- c:\program files\APKeyboardReference.pdf
    2008-10-21 14:28 . 2008-10-21 14:28 115339 ----a-r- c:\program files\Sample.ach
    2007-11-28 09:49 . 2007-11-28 09:49 458752 ----a-w- c:\program files\Infragistics.Win.Misc.v7.1.dll
    2007-11-28 09:49 . 2007-11-28 09:49 425984 ----a-w- c:\program files\Infragistics.Win.UltraWinEditors.v7.1.dll
    2007-11-28 09:49 . 2007-11-28 09:49 253952 ----a-w- c:\program files\Infragistics.Win.UltraWinTabControl.v7.1.dll
    2007-11-28 09:49 . 2007-11-28 09:49 1675264 ----a-w- c:\program files\Infragistics.Win.UltraWinChart.v7.1.dll
    2007-11-28 09:49 . 2007-11-28 09:49 159744 ----a-w- c:\program files\Infragistics.Win.UltraWinPrintPreviewDialog.v7.1.dll
    2007-11-28 09:49 . 2007-11-28 09:49 106496 ----a-w- c:\program files\Infragistics.Win.UltraWinDataSource.v7.1.dll
    2006-08-23 14:40 . 2006-08-23 14:40 69632 ----a-w- c:\program files\SecurityManager.dll
    2006-05-11 19:44 . 2006-05-11 19:44 126976 ----a-w- c:\program files\MiniComm.DLL
    2006-02-15 02:32 . 2006-02-15 02:32 225280 ----a-w- c:\program files\tx12_htm.dll
    2006-02-13 12:02 . 2006-02-13 12:02 663552 ----a-w- c:\program files\tx12.dll
    2006-02-10 12:02 . 2006-02-10 12:02 274432 ----a-w- c:\program files\TXTextControl.dll
    2006-02-09 05:00 . 2006-02-09 05:00 479232 ----a-w- c:\program files\tx12_doc.dll
    2006-02-09 05:00 . 2006-02-09 05:00 360448 ----a-w- c:\program files\tx12_rtf.dll
    2006-02-09 03:20 . 2006-02-09 03:20 530 ----a-w- c:\program files\tx12_ic.ini
    2006-02-09 03:20 . 2006-02-09 03:20 106496 ----a-w- c:\program files\tx12_ic.dll
    2006-02-02 02:01 . 2006-02-02 02:01 53248 ----a-w- c:\program files\tx12_wnd.dll
    2006-02-02 02:01 . 2006-02-02 02:01 258048 ----a-w- c:\program files\tx12_css.dll
    2006-02-01 02:21 . 2006-02-01 02:21 126976 ----a-w- c:\program files\tx12_tls.dll
    2006-01-28 10:25 . 2006-01-28 10:25 196608 ----a-w- c:\program files\Office.dll
    2006-01-28 10:23 . 2006-01-28 10:23 389120 ----a-w- c:\program files\Microsoft.Office.Interop.Outlook.dll
    2005-11-11 01:32 . 2005-11-11 01:32 303104 ----a-w- c:\program files\tx12_xml.dll
    2005-09-16 18:29 . 2005-09-16 18:29 90112 ----a-w- c:\program files\achbn.exe
    2005-08-08 11:14 . 2005-08-08 11:14 16384 ----a-w- c:\program files\uis.exe
    2005-07-26 01:13 . 2005-07-26 01:13 217088 ----a-w- c:\program files\tx12_png.flt
    2005-07-26 01:12 . 2005-07-26 01:12 516096 ----a-w- c:\program files\tx12_pdf.dll
    2005-07-06 11:12 . 2005-07-06 11:12 16384 ----a-w- c:\program files\stdole.dll
    2005-07-04 02:45 . 2005-07-04 02:45 61440 ----a-w- c:\program files\tx12_tif.flt
    2005-07-04 02:02 . 2005-07-04 02:02 49152 ----a-w- c:\program files\tx12_bmp.flt
    2005-07-04 01:14 . 2005-07-04 01:14 33280 ----a-w- c:\program files\tx12_wmf.flt
    2005-07-04 01:13 . 2005-07-04 01:13 172032 ----a-w- c:\program files\tx12_jpg.flt
    2005-07-04 01:04 . 2005-07-04 01:04 49152 ----a-w- c:\program files\tx12_gif.flt
    2005-05-31 14:27 . 2005-05-31 14:27 503808 ----a-w- c:\program files\ActiproSoftware.UIStudio.Dock.dll
    2005-05-31 14:27 . 2005-05-31 14:27 176128 ----a-w- c:\program files\ActiproSoftware.Shared.dll
    2005-05-31 14:27 . 2005-05-31 14:27 147456 ----a-w- c:\program files\ActiproSoftware.WinUICore.dll
    2005-05-17 15:12 . 2005-05-17 15:12 36864 ----a-w- c:\program files\BICommon.dll
    2005-01-12 15:24 . 2005-01-12 15:24 623 ----a-w- c:\program files\Achieve.exe.manifest
    2004-09-01 15:19 . 2004-09-01 15:19 20480 ----a-w- c:\program files\EPR.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D3F3F3A-0E4B-4085-9032-7D072072319A}]
    2010-01-25 12:38 99704 ----a-w- c:\program files\PriceGong\2.0.0\PriceLoadIE.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
    @="{95A27763-F62A-4114-9072-E81D87DE3B68}"
    [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
    @="{E300CD91-100F-4E67-9AF3-1384A6124015}"
    [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
    @="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
    [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
    2009-07-28 20:49 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Alan\Application Data\Dropbox\bin\DropboxExt.13.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-08 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CFSServ.exe"="CFSServ.exe -NoClient" [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-01 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-01 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-01 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
    "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2007-07-06 651264]
    "HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
    "SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2006-05-25 65536]
    "TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2007-06-01 53248]
    "TFncKy"="TFncKy.exe" [BU]
    "TDispVol"="TDispVol.exe" [2005-12-27 73728]
    "TPSMain"="TPSMain.exe" [2005-08-11 266240]
    "Zooming"="ZoomingHook.exe" [2005-06-06 24576]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-07-28 671376]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    c:\documents and settings\Alan\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\documents and settings\Alan\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\O2\\bin\\wificfg.exe"=
    "c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
    "c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
    "c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 17:19 202280]
    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
    R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [12/10/2009 17:33 46824]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 19:29 102448]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 00:44 135664]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/01/2008 18:32 23888]
    S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/04/2010 15:54 14424]
    S3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys --> c:\windows\system32\DRIVERS\TpChoice.sys [?]
    S4 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [08/01/2010 01:51 380928]
    S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [30/08/2009 16:31 464264]
    S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [30/08/2009 16:31 234888]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2010-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:44]

    2010-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 23:44]

    2009-06-02 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\system32\OOBE\oobebaln.exe [2007-08-01 00:12]

    2009-06-02 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\system32\OOBE\oobebaln.exe [2007-08-01 00:12]

    2009-06-02 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\system32\OOBE\oobebaln.exe [2007-08-01 00:12]

    2010-04-14 c:\windows\Tasks\RegPowerClean.job
    - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2010-02-15 14:48]

    2010-04-14 c:\windows\Tasks\RPCReminder.job
    - c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2010-02-15 14:34]
    .
    .
    Supplementary Scan
    .
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\ofv3nlgg.default\
    FF - prefs.js: browser.startup.homepage - hxxp:
    FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
    FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll
    FF - component: c:\program files\PriceGong\2.0.0\FF\components\PriceLoadFF.dll
    FF - plugin: c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\ofv3nlgg.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Alan\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
    FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-RevHDD - c:\windows\SYSTEM\RevHDD.exe
    SafeBoot-Symantec Antvirus
    AddRemove-The Action Machine_is1 - c:\program files\The Action Machine\unins000.exe



    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    Completion time: 2010-04-14 08:38:17
    ComboFix-quarantined-files.txt 2010-04-14 07:38

    Pre-Run: 106,677,862,400 bytes free
    Post-Run: 106,958,471,168 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 6EC01DA6657B28D4CC50FC3E5AA59261
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    First Anniversary Combo Breaker
    Your computers a total mess

    You run this combofix log at your own risk, but you need to do SOMETHING. I really recommend formatting and starting afresh though

    If you wish to proceed ~

    Open notepad and copy/paste the text in RED below

    File::
    c:\program files\tx12_htm.dll
    c:\program files\tx12.dll
    c:\program files\tx12_doc.dll
    c:\program files\tx12_rtf.dll
    c:\program files\tx12_ic.ini
    c:\program files\tx12_ic.dll
    c:\program files\tx12_wnd.dll
    c:\program files\tx12_css.dll
    c:\program files\tx12_tls.dll
    c:\program files\tx12_xml.dll
    c:\windows\system32\drivers\RevHDD.exe
    c:\windows\system32\drivers\SPIF225.sys
    c:\program files\efxstd.DLL
    c:\program files\MiniComm.DLL
    c:\program files\Office.dll
    c:\program files\SecurityManager.dll
    c:\program files\Microsoft.Office.Interop.Outlook.dll
    c:\program files\achbn.exe
    c:\program files\uis.exe
    c:\program files\tx12_png.flt
    c:\program files\tx12_pdf.dll
    c:\program files\stdole.dll
    c:\program files\tx12_tif.flt
    c:\program files\tx12_bmp.flt
    c:\program files\tx12_wmf.flt
    c:\program files\tx12_jpg.flt
    c:\program files\tx12_gif.flt
    c:\program files\BICommon.dll
    c:\program files\Achieve.exe.manifest
    c:\program files\EPR.dll
    c:\program files\Achieve.exe
    c:\program files\AchieveHelp.chm
    c:\program files\Default.dat
    c:\program files\APKeyboardReference.pdf
    c:\program files\Sample.ach
    c:\program files\Infragistics.Win.Misc.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinEditors.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinTabControl.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinChart.v7.1.dll
    c:\program files\Infragistics.Win.UltraWinPrintPreviewDialog. v7.1.dll
    c:\program files\Infragistics.Win.UltraWinDataSource.v7.1.dll
    c:\program files\AskBarDis\bar\bin\askBar.dll
    c:\program files\AskBarDis\bar\bin\AskService.exe
    c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
    c:\windows\system32\OOBE\oobebaln.exe



    Save this as "CFScript"

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    First Anniversary Combo Breaker
    Uninstall REGISTRY POWER CLEANER too
    :idea:
  • Pythagorous
    Pythagorous Posts: 746 Forumite
    First Post Name Dropper First Anniversary Combo Breaker
    Thanks AlienRIK. I thought I had it all sorted yesterday then when I booted up this morning my dropbox, carbonite and firefox had disappeared again!

    I'm happy to basically reformat and start from scratch again, but is it possible to do this without the original disks? Just want the quickest route to get back to a working PC again! Would reinstalling a completely new HD be an idea?

    When you say I'm in a mess, is my current data at risk of being stolen?

    Running the combofix again now. Watch this space!
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 343.2K Banking & Borrowing
  • 250.1K Reduce Debt & Boost Income
  • 449.7K Spending & Discounts
  • 235.2K Work, Benefits & Business
  • 608K Mortgages, Homes & Bills
  • 173K Life & Family
  • 247.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards