Being hijacked- over and over cant seem to remove...

No its not

Its not related to bans toolbar at all. That bans toolbar thing is something I downloaded ions ago- decided it was rubbish and deleted it.

If I try to open the affiliate organiser prog, I get a grey box come up that says error info and has a yellow triange with an exclamation mark in it. The files are still there in my prog files but the db with all my info in it is either encrytped or currupted as it s unreadble and I cant view my passwords etc.

Thanks
 
Thanks for letting me know about the BANS toolbar.

What happened to Affiliate Organizer looks to be a glitch/freak occurance. Looking over the other files that ComboFix deleted, they are all malicious and shouldn't have anything to do with AO.

I get a grey box come up that says error info and has a yellow triange with an exclamation mark in it.
Click to expand...

Does the "error info" say anything more specific? Does it list any files or error codes?

Also, is the following website the one for AO:

http://www.affiliateorganizer.com/
 
No more info

Thats it- it says nothing else at all.
Yes it looks like the same software although they have either redone the site since I bought or I bought it from another licenced site.
Please- this is vital- can I recover my info, passes etc, Im stuck and cant work without them
Thanks
 
I did some searching around to see if I could find any FAQ's or forums on AO and I was unable to find any that could help.

The best thing to do now, would be to contact the company who makes AO directly as they would best know how to get your data back.

Here's their e-mail address:

support@affiliateorganizer.com

Another thing you can try is if you go to Affiliate Organizer 2.0 in Add/Remove Programs, you can try either reinstalling it or see if it gives you the option to do a repair install on the program.
 
So...

Is there no way of doing a computer restore to et my data back after running combo fix?

The forum people for the software are not going to know how to do anything after combo fix has deleted it are they?
 
Just checked and no

The prog does not give an option to reinstall it- unless I can recover this by restoring the pc, it seems all my most important data is lost.
 
To be accurate

It only gives the option to uninstall- not repair.
I can't belive this, Ive lost two days of work already.
Please tell me if my system can be restored to get my data back?
 
You can try going to System Restore and restoring your computer to a date back before you ran ComboFix.

That should get AO working again. The bad thing about doing that is that it will also bring back the malicious files that ComboFix deleted. If you do that, then we'll have to get rid of those files another way.
 
Erunt is used to backup your Registry. You can try going to the folder where you installed Erunt and click on ERDNT.exe to see if restoring your registry solves the problem. Only do that if you did use Erunt to back up your registry.

To do a System Restore, follow the instructions at the website below:

http://support.microsoft.com/kb/306084


Remember to pick a restore date that is before (like 1-2 days before) the day you ran ComboFix.
 
Ok restored

I had to restore back to 18th- got my data and saved it off pc. Re-did all steps back to this point here are fresh logs.

combofix
ComboFix 09-05-22.05 - Dee 23/05/2009 0:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.391 [GMT 1:00]
Running from: c:\documents and settings\Dee\Desktop\SYSTEMTOOLS\worknow.com.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\IEToolbar
c:\program files\IEToolbar\BANS Toolbar\tbhelper.dll
c:\program files\IEToolbar\BANS Toolbar\uninstall.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\Ijl11.dll
c:\windows\system32\oledb32.dll
E:\Autorun.inf
E:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 22:44 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-22 22:44 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 14:29 . 2009-05-22 20:48 -------- d-sh--w C:\RECYCLER(2)
2009-05-20 00:00 . 2009-05-20 00:00 -------- d-----w c:\documents and settings\Dee\Application Data\Malwarebytes
2009-05-20 00:00 . 2009-05-22 22:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 00:00 . 2009-05-20 00:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 22:54 . 2009-05-17 22:54 -------- d-----w c:\program files\ERUNT
2009-05-16 23:04 . 2009-05-16 23:05 -------- d-----w c:\program files\Defraggler
2009-05-16 19:28 . 2009-05-22 22:57 117760 ----a-w c:\documents and settings\Dee\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-16 19:27 . 2009-05-16 19:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-16 19:27 . 2009-05-16 19:27 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-16 19:27 . 2009-05-16 19:27 -------- d-----w c:\documents and settings\Dee\Application Data\SUPERAntiSpyware.com
2009-05-16 18:46 . 2009-05-16 18:46 -------- d-----w c:\program files\CONEXANT
2009-05-16 16:36 . 2009-05-17 08:02 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-16 14:03 . 2009-05-16 14:03 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-05-16 14:03 . 2009-05-16 14:43 -------- d-----w c:\documents and settings\Dee\Application Data\OnlineArmor
2009-05-16 14:02 . 2009-03-06 23:40 30920 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-05-16 14:02 . 2009-03-06 23:40 28872 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-05-16 14:02 . 2009-03-06 23:40 178376 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-05-16 14:02 . 2009-05-16 14:02 -------- d-----w c:\program files\Tall Emu
2009-05-16 14:02 . 2009-05-16 14:02 -------- d-----w C:\OnlineArmor
2009-05-16 14:01 . 2009-05-16 14:03 -------- d-----w c:\program files\a-squared Free
2009-05-15 17:28 . 2009-05-15 17:39 -------- d-----w c:\program files\ICQ6.5
2009-05-13 22:59 . 2009-05-13 22:59 -------- d-----w c:\program files\GC Keyword Analyzer
2009-05-12 11:42 . 2009-05-12 11:42 -------- d-----w c:\documents and settings\All Users\Application Data\Ultimate Keyword Theme Extractor
2009-05-12 11:42 . 2009-05-12 11:42 -------- d-----w c:\program files\Ultimate Keyword Theme Extractor
2009-05-04 13:00 . 2009-05-07 19:59 -------- d-----w c:\documents and settings\Dee\Application Data\Inspyder InSite
2009-05-02 11:26 . 2009-05-02 11:26 152576 ----a-w c:\documents and settings\Dee\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-25 21:53 . 2009-04-25 21:55 -------- d-----w C:\astrosite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 22:54 . 2007-06-12 18:25 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-22 22:12 . 2007-04-26 06:24 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 22:03 . 2006-05-26 08:55 -------- d-----w c:\program files\Java
2009-05-22 21:00 . 2007-08-25 09:31 -------- d-----w c:\program files\Affiliate Organizer
2009-05-18 22:56 . 2006-10-24 15:45 -------- d-----w c:\program files\Windows Live Toolbar
2009-05-16 23:31 . 2006-09-06 18:11 -------- d-----w c:\documents and settings\Dee\Application Data\OpenOffice.org2
2009-05-16 22:31 . 2008-12-10 12:10 -------- d-----w c:\program files\SENuke
2009-05-16 21:59 . 2007-07-22 14:58 -------- d-----w c:\program files\Content-N-Cash
2009-05-16 19:26 . 2007-02-28 01:55 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-16 12:02 . 2007-06-26 09:23 -------- d-----w c:\program files\Internet Download Manager
2009-05-15 17:30 . 2008-06-17 15:12 -------- d-----w c:\program files\ICQ6
2009-05-15 09:16 . 2007-06-26 09:23 -------- d-----w c:\documents and settings\Dee\Application Data\IDM
2009-05-14 12:31 . 2008-06-24 14:53 -------- d-----w c:\program files\Article Submitter Pro
2009-05-13 20:07 . 2007-06-26 09:23 -------- d-----w c:\documents and settings\Dee\Application Data\DMCache
2009-05-12 13:19 . 2007-04-07 09:53 -------- d-----w c:\program files\FlashFXP
2009-05-10 14:37 . 2008-01-19 00:57 -------- d-----w c:\program files\RSS Submit
2009-05-10 12:37 . 2007-11-16 15:30 -------- d-----w c:\program files\WordFlood 2.0
2009-05-10 12:03 . 2009-02-19 13:23 -------- d-----w c:\program files\SocialSpeed
2009-05-10 03:29 . 2008-09-29 15:03 -------- d-----w c:\program files\SliQTools
2009-05-10 02:52 . 2009-01-24 11:31 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-07 20:10 . 2007-04-13 08:36 -------- d-----w c:\program files\digiXMAS
2009-04-30 17:12 . 2008-08-03 06:09 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-30 17:12 . 2007-12-08 19:41 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-04-30 17:12 . 2008-08-03 06:09 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-30 17:12 . 2008-08-03 06:09 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-25 21:25 . 2008-05-30 17:50 -------- d-----w c:\program files\Matrix
2009-03-09 04:19 . 2008-11-21 22:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 08:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 13:58 . 2009-03-04 13:58 0 ----a-w c:\documents and settings\Dee\ntuser.tmp
2009-03-03 00:18 . 2004-08-04 08:00 826368 ----a-w c:\windows\system32\wininet.dll
2006-05-24 16:38 . 2008-02-22 01:50 233472 -c--a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-18 17:00 . 2008-02-22 01:50 204895 -c--a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 14:41 . 2008-02-22 01:50 77824 -c--a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-05-18 16:59 . 2008-02-22 01:50 426081 -c--a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 12:19 . 2008-02-22 01:50 458752 -c--a-w c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 18:35 . 2008-02-22 01:50 139264 -c--a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 11:10 . 2008-02-22 01:50 204800 -c--a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 11:42 . 2008-02-22 01:50 106496 -c--a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 11:22 . 2008-02-22 01:50 212992 -c--a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 11:21 . 2008-02-22 01:50 167936 -c--a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
2008-02-22 03:30 . 2008-02-22 03:30 80 -csh--r c:\windows\CT5PRET.BIN
2002-07-31 19:55 . 2008-01-06 14:33 106 -csh--w c:\windows\WSYS049.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 62976]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-20 185784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-30 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dee\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-4-12 643133]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-30 17:12 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08 434176 ----a-w c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg
path=
backup=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Dee\\My Documents\\Downloads\\Programs\\utorrent.exe"=
"c:\\Program Files\\Micro Niche Finder\\microniche.exe"=
"c:\\Program Files\\iWatermark\\iWatermark.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/08/2008 07:09 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/08/2008 07:09 108552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [16/05/2009 15:02 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [16/05/2009 15:02 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [16/05/2009 15:02 28872]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 17:56 36768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 09:00 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [15/01/2009 11:06 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [15/01/2009 11:06 298776]
R2 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [06/03/2008 20:58 355840]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [16/05/2009 15:02 1402568]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [27/07/2005 17:25 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [27/07/2005 17:25 36352]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 12:19 36352]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [27/07/2005 17:25 77056]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [16/05/2009 15:02 3321032]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [12/10/2007 14:07 55808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download FLV video content with IDM
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d4a8adb91c0f4702972ae83164765d84
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d4a8adb91c0f4702972ae83164765d84
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: stumbleupon.com
FF - ProfilePath - c:\documents and settings\Dee\Application Data\Mozilla\Firefox\Profiles\lvnyvz54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - BoardTracker
FF - prefs.js: browser.startup.homepage - hxxp://www.future-forcast.co.uk
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 00:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2194445863-3924508569-3793972843-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2194445863-3924508569-3793972843-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F5F7521C-F4FE-3D98-F635-1C792DD7D7FA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"naknkhmegpegmlkeffimcggaflcf"=hex:6a,61,6f,6e,70,61,6d,66,6a,68,6f,62,6d,6f,
66,65,61,64,6b,67,00,fb
"maenajbcgicijgnljclllanbgl"=hex:6a,61,6f,6e,70,61,6d,66,6a,68,6f,62,6d,6f,66,
65,61,64,6b,67,00,fb
"naolclbiegfcceckhchdnibcbdli"=hex:62,61,69,6e,00,8f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ea,a4,47,18,6d,ac,32,29,18,4e,ef,ed,d8,6c,f8,06,53,34,fe,5b,b2,
f7,88,52,3a,0f,de,95,cf,34,4f,2f,c4,cb,5c,a2,23,0c,83,8a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b4,80,6a,fe,2c,6a,75,d7,84,8b,54,88,3e,2e,ae,42,77,71,6f,10,98,
38,4a,ca,e6,25,6e,08,ec,b5,7b,f1,df,0a,0e,c7,c0,a7,7f,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{93e6e9bd-f9cf-4ae4-ada7-eea9926b48e5}]
@Denied: (Full) (Everyone)
"Model"=dword:000000cc
"Therad"=dword:0000001d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e423eca4-9c18-47a7-b6fb-515e406fd7a1}]
@Denied: (Full) (Everyone)
"Model"=dword:0000010f
"Therad"=dword:00000015
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(920)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
.
Completion time: 2009-05-22 0:10
ComboFix-quarantined-files.txt 2009-05-22 23:09
ComboFix2.txt 2009-05-21 14:14

Pre-Run: 16,136,540,160 bytes free
Post-Run: 16,136,409,088 bytes free

260 --- E O F --- 2009-05-15 07:17
 
Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:31, on 23/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dee\Desktop\SYSTEMTOOLS\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d4a8adb91c0f4702972ae83164765d84
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 12957 bytes


Is the pc clear now? If so can I/should I uninstall progs like erunt etc?
Thanks
 
Organiser

I have a zip copy of this that I kep off the pc- re-installed and got a grey box with error on and now a further box after that says provider cannot be found it may not be properly installed. I tried the same zip on another pc and it worked. Something must have changed in my pc that now prevent this from working?

Thanks
 
More problems

SliQ Submitter, which can be downloaded free and works well has also been removed from my pc- Ive no idea now what to do...
Something has gone badly wrong here. I belive something vital to running progs on my pc was removed in this clean up as when I went back and did a system restore to the 18 all was working and fine, please advise?
Thanks
 
Nice work on restoring your computer and backing up your AO data. :bigthumb:

Is the pc clear now? If so can I/should I uninstall progs like erunt etc?
Click to expand...

We still have some more work to do and I'll let you know what to uninstall when we get to the end.

SliQ Submitter, which can be downloaded free and works well has also been removed from my pc- Ive no idea now what to do...
Something has gone badly wrong here. I belive something vital to running progs on my pc was removed in this clean up as when I went back and did a system restore to the 18 all was working and fine, please advise?
Thanks
Click to expand...

Have you tried redownloading and reinstalling Sliq Submitter to see if that gets it working again. What may have happened vis a vis your programs not working is that the malware you had/have corrupted some files that will now need to be replaced. You may want to back up whatever data you can and then uninstall/reinstall any programs that are no longer working.


I have a zip copy of this that I kep off the pc- re-installed and got a grey box with error on and now a further box after that says provider cannot be found it may not be properly installed. I tried the same zip on another pc and it worked. Something must have changed in my pc that now prevent this from working?
Click to expand...

Looking into this error is leading me to places that is past my level of expertise. Therefore I'm going to ask some my collegues if they have any ideas on solving this problem and any other suggestions/tips they may have.

I'll be back ASAP.
 
n reboot I get this error

sqlserv.exe has been currupted or deleted etc. Googled this- seems to be something that pc needs?
Thanks
 
Cant install stuff

Seems to be that the sqlserv.exe issue now (see error above) think it is that that is stopping some progs from working.
 
Had to go back to 18th again

On closer inspection- I have many, many progs not working that I need so am having to restore back again to the 18th unfortunately - not sure what to do about this.
Thanks
 
You must log in or register to reply here.
Back
Top