Jump to content

Recommended Posts

Hello,

Windows Restore downloaded itself on my computer. Ever since, I have had constant Internet Explorer Script Error pop-ups, even though I use Firefox. The virus hid all my files and ads will play in the background of my computer even with my browser closed. Task Manager does not show any strange programs running when the ads are playing.

I am not very computer savvy yet have attempted to fix the problem myself. However, I can't remove the virus without assistance.

So far, I deleted the Windows Restore icon that was on my desktop and ran multiple scans with Malwarebytes and Norton 360. I remove the viruses that are detected by the scan, however, the virus remains. I make sure to download the latest version of Malwarebytes before every scan attempt.

If someone could help me remove the virus I would greatly appreciate it. This virus has ruined my weekend so far and I would love to have a fully functioning computer again.

Thanks!

Link to post
Share on other sites

Hello and :welcome:

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

OTH_Main.gif

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    [*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

Link to post
Share on other sites

OTL logfile created on: 4/10/2011 1:03:24 PM - Run 2

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Joey\Downloads

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 221.81 Gb Total Space | 131.21 Gb Free Space | 59.16% Space Free | Partition Type: NTFS

Drive D: | 11.07 Gb Total Space | 1.84 Gb Free Space | 16.59% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: Joey | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/10 13:02:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Downloads\OTL.scr

PRC - [2011/04/10 13:02:27 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Downloads\OTH.scr

PRC - [2010/10/18 06:37:35 | 000,081,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\consent.exe

PRC - [2010/10/15 21:17:26 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe

PRC - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE

PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe

PRC - [2008/09/24 19:08:26 | 000,296,320 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe

PRC - [2008/09/24 19:08:26 | 000,116,096 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe

PRC - [2008/09/16 11:33:18 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) -- C:\Windows\System32\vfsFPService.exe

PRC - [2008/08/05 10:12:16 | 000,225,369 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a33c8195\stacsv.exe

PRC - [2008/07/14 20:15:10 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHostW.exe

PRC - [2008/06/27 08:53:08 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a33c8195\AEstSrv.exe

PRC - [2008/02/21 15:02:53 | 000,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

========== Modules (SafeList) ==========

MOD - [2011/04/10 13:02:43 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Joey\Downloads\OTL.scr

MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)

SRV - [2011/03/23 11:00:52 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2009/04/13 14:51:53 | 001,245,064 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)

SRV - [2008/12/11 20:28:25 | 000,115,560 | R--- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe -- (Norton Internet Security)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (LiveUpdate Notice)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2008/10/17 15:52:10 | 000,149,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)

SRV - [2008/09/24 19:08:26 | 000,296,320 | ---- | M] () [Auto | Running] -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe -- (TVCapSvc) TV Background Capture Service (TVBCS)

SRV - [2008/09/24 19:08:26 | 000,116,096 | ---- | M] () [Auto | Running] -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe -- (TVSched) TV Task Scheduler (TVTS)

SRV - [2008/09/16 11:33:18 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] -- C:\Windows\System32\vfsFPService.exe -- (vfsFPService)

SRV - [2008/09/05 11:52:32 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)

SRV - [2008/08/05 10:12:16 | 000,225,369 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a33c8195\stacsv.exe -- (STacSV)

SRV - [2008/07/14 20:15:10 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DpHostW.exe -- (DpHost)

SRV - [2008/06/27 08:53:08 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a33c8195\AEstSrv.exe -- (AESTFilters)

SRV - [2008/02/21 15:02:53 | 000,238,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)

SRV - [2008/01/29 16:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)

SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/08/22 01:21:30 | 000,055,640 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)

========== Driver Services (SafeList) ==========

DRV - [2011/03/30 01:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110409.002\NAVEX15.SYS -- (NAVEX15)

DRV - [2011/03/30 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110409.002\NAVENG.SYS -- (NAVENG)

DRV - [2010/09/15 11:11:07 | 000,287,792 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Symantec\Definitions\SymcData\ipsdefs\20110330.001\IDSvix86.sys -- (IDSvix86)

DRV - [2010/05/26 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/05/26 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/10/02 20:23:12 | 006,000,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®

DRV - [2009/04/16 20:04:15 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2009/04/10 23:32:55 | 000,226,280 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\system32\drivers\volsnap.sys -- (volsnap)

DRV - [2009/03/17 12:56:58 | 000,447,024 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2009/02/19 13:31:42 | 000,024,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)

DRV - [2009/02/19 13:31:18 | 000,041,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMNDISV.SYS -- (SYMNDISV)

DRV - [2009/02/19 13:31:16 | 000,184,496 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2009/02/19 13:31:16 | 000,096,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMFW.SYS -- (SYMFW)

DRV - [2009/02/19 13:31:16 | 000,022,320 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2009/02/19 13:31:16 | 000,013,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMDNS.SYS -- (SYMDNS)

DRV - [2009/01/08 18:00:54 | 000,016,640 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DsAudioDevice_282.sys -- (DsAudioDevice_282)

DRV - [2008/09/16 11:33:38 | 000,040,752 | ---- | M] (Validity Sensors, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vfs101x.sys -- (vfs101x)

DRV - [2008/09/13 00:13:00 | 007,391,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)

DRV - [2008/09/04 10:47:00 | 000,054,784 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\enecir.sys -- (enecir)

DRV - [2008/08/07 10:01:44 | 000,097,536 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)

DRV - [2008/08/06 09:26:08 | 000,124,928 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2008/08/05 20:29:26 | 000,044,576 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)

DRV - [2008/08/05 10:13:50 | 000,382,976 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)

DRV - [2008/07/30 17:42:12 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COH_Mon.sys -- (COH_Mon)

DRV - [2008/06/30 23:16:26 | 000,018,912 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lmvac.sys -- (LTXMD_VAC) Litex Media Virtual Audio Cable (WDM)

DRV - [2008/06/10 13:04:26 | 000,033,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)

DRV - [2008/03/27 13:12:12 | 000,024,424 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)

DRV - [2008/03/27 13:11:34 | 000,034,664 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)

DRV - [2008/01/31 18:51:16 | 000,317,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)

DRV - [2008/01/31 18:51:16 | 000,279,088 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)

DRV - [2008/01/31 18:51:16 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)

DRV - [2008/01/20 19:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®

DRV - [2007/08/08 17:39:56 | 000,036,056 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CO_Mon.sys -- (CO_Mon)

DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files\DigitalPersona\Bin\FirefoxExt\ [2009/01/17 03:13:33 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/24 16:22:01 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/08 15:44:46 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/08 15:44:46 | 000,000,000 | ---D | M]

[2010/10/23 22:16:55 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Joey\AppData\Roaming\Mozilla\Extensions

[2009/05/01 14:55:35 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Joey\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

[2011/04/09 00:55:09 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Joey\AppData\Roaming\Mozilla\Firefox\Profiles\70tftyqv.default\extensions

[2011/02/14 18:45:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/02/14 18:45:23 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

[2010/05/22 16:29:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/01/03 00:54:17 | 000,000,000 | -H-D | M] (Move Media Player) -- C:\USERS\JOEY\APPDATA\ROAMING\MOVE NETWORKS

[2009/09/02 03:01:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

[2010/05/22 16:29:26 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll (Symantec Corporation)

O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\DpAgent.exe (DigitalPersona, Inc.)

O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [osCheck] C:\Program Files\Norton 360\osCheck.exe (Symantec Corporation)

O4 - HKLM..\Run: [smartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)

O4 - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)

O4 - HKLM..\Run: [TSMAgent] C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp.)

O4 - HKLM..\Run: [TuneClone] File not found

O4 - HKLM..\Run: [TVAgent] C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe (CyberLink Corp.)

O4 - HKLM..\Run: [uCam_Menu] C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [updatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [EA Core] File not found

O4 - HKCU..\Run: [Pando Media Booster] File not found

O4 - HKCU..\Run: [RGSC] C:\Program Files\Steam\steamapps\common\grand theft auto iv\RGSC\RGSCLauncher.exe (Take-Two Interactive Software, Inc.)

O4 - HKCU..\Run: [steam] c:\program files\steam\steam.exe (Valve Corporation)

O4 - Startup: C:\Users\Joey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)

O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} http://docs.cyberlink.com/multi/patch/prog/UpdateAdvisor.cab (CUpdateAdvisorCtrl Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Joey\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Joey\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/09 01:02:01 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer

[2011/03/28 13:19:49 | 000,000,000 | ---D | C] -- C:\Users\Joey\Desktop\Job Hunt

[2011/03/25 20:06:33 | 000,000,000 | -H-D | C] -- C:\Users\Joey\AppData\Roaming\Amazon

[2011/03/25 20:05:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amazon

[2011/03/25 20:05:45 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon

========== Files - Modified Within 30 Days ==========

[2011/04/10 13:01:19 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2011/04/10 13:01:19 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2011/04/10 12:55:23 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/04/10 12:54:55 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 12:54:55 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 12:54:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/04/10 12:54:40 | 3218,284,544 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/10 12:52:54 | 000,000,943 | -H-- | M] () -- C:\Users\Joey\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2011/04/10 12:28:59 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/04/10 12:28:58 | 000,000,904 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1026037323-1603270977-52714397-1000UA.job

[2011/04/09 13:25:00 | 000,000,852 | -H-- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1026037323-1603270977-52714397-1000Core.job

[2011/04/08 16:43:37 | 000,008,268 | ---- | M] () -- C:\Users\Joey\AppData\Local\d3d9caps.dat

[2011/04/08 06:17:17 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~42393352r

[2011/04/08 06:17:17 | 000,000,104 | -H-- | M] () -- C:\ProgramData\~42393352

[2011/04/08 06:16:58 | 000,000,336 | -H-- | M] () -- C:\ProgramData\42393352

[2011/04/08 06:16:56 | 000,475,136 | -H-- | M] () -- C:\ProgramData\42393352.exe

[2011/04/08 02:39:36 | 000,031,776 | -H-- | M] () -- C:\ProgramData\nvModes.dat

[2011/04/08 02:39:36 | 000,031,776 | -H-- | M] () -- C:\ProgramData\nvModes.001

[2011/04/07 09:54:31 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat

[2011/04/07 09:28:49 | 000,002,651 | -H-- | M] () -- C:\Users\Joey\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk

[2011/03/30 21:10:22 | 000,000,318 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForJoey.job

[2011/03/18 18:16:42 | 000,002,609 | -H-- | M] () -- C:\Users\Joey\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk

[2011/03/17 20:15:59 | 000,066,034 | ---- | M] () -- C:\Users\Joey\Music\Documents\JIMMY.jpg

[2011/03/15 16:15:04 | 000,001,887 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

========== Files Created - No Company Name ==========

[2011/04/08 16:42:12 | 3218,284,544 | -HS- | C] () -- C:\hiberfil.sys

[2011/04/08 06:17:17 | 000,000,136 | -H-- | C] () -- C:\ProgramData\~42393352r

[2011/04/08 06:17:16 | 000,000,104 | -H-- | C] () -- C:\ProgramData\~42393352

[2011/04/08 06:16:58 | 000,000,336 | -H-- | C] () -- C:\ProgramData\42393352

[2011/04/08 06:16:56 | 000,475,136 | -H-- | C] () -- C:\ProgramData\42393352.exe

[2011/03/17 20:15:57 | 000,066,034 | ---- | C] () -- C:\Users\Joey\Music\Documents\JIMMY.jpg

[2011/03/15 16:15:04 | 000,001,887 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2011/03/15 16:15:04 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk

[2010/10/23 21:30:22 | 000,000,006 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\start

[2010/10/23 21:29:24 | 000,000,006 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\completescan

[2010/10/23 14:15:33 | 000,000,010 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\install

[2010/10/14 02:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat

[2010/08/24 16:07:54 | 000,208,069 | ---- | C] () -- C:\Windows\hpoins43.dat

[2010/04/11 09:28:42 | 000,013,360 | -H-- | C] () -- C:\Users\Joey\AppData\Local\tmpSNOW-DC_navi.JPG

[2010/04/11 09:28:37 | 000,222,535 | -H-- | C] () -- C:\Users\Joey\AppData\Local\tmpSNOW-DC.0

[2010/04/11 09:28:37 | 000,112,945 | -H-- | C] () -- C:\Users\Joey\AppData\Local\tmpSNOW-DC.JPG

[2010/01/29 14:11:51 | 000,000,601 | ---- | C] () -- C:\Windows\hpomdl43.dat

[2009/10/17 19:35:33 | 000,000,001 | -H-- | C] () -- C:\Windows\mulch200.ini

[2009/09/16 19:29:02 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin

[2009/09/16 19:29:01 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll

[2009/09/16 19:28:35 | 000,226,280 | ---- | C] () -- C:\Windows\System32\drivers\volsnap.sys

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll

[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe

[2009/08/01 20:33:58 | 000,000,282 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\wklnhst.dat

[2009/06/21 15:45:16 | 000,000,529 | ---- | C] () -- C:\Windows\eReg.dat

[2009/04/26 20:33:26 | 000,870,128 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\mcs.rma

[2009/04/26 20:33:26 | 000,000,004 | -H-- | C] () -- C:\Users\Joey\AppData\Roaming\42C232

[2009/02/07 22:46:19 | 000,008,268 | ---- | C] () -- C:\Users\Joey\AppData\Local\d3d9caps.dat

[2009/01/26 12:12:08 | 000,018,432 | -H-- | C] () -- C:\Users\Joey\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/10/27 11:03:11 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

[2007/11/14 17:17:34 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CogentBioSDK.dll

[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2006/11/02 05:47:37 | 000,314,472 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT

[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll

[2006/11/02 03:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat

[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat

[2006/11/02 03:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat

[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat

[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat

[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT

[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/03/25 20:06:33 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Amazon

[2010/05/06 23:48:56 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Azureus

[2011/01/17 13:48:33 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2009/01/26 11:28:36 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\DigitalPersona

[2009/07/05 12:52:56 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\funkitron

[2009/04/04 23:39:20 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\IDM

[2009/04/06 00:55:32 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\iWin

[2009/04/04 21:18:43 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Ludia

[2009/04/04 23:39:23 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\NBC Direct

[2009/07/17 16:56:16 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\PlayFirst

[2009/04/17 20:15:15 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Red Alert 3

[2009/12/13 18:14:57 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Southwest Airlines

[2009/04/05 13:13:48 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\SPORE Creature Creator

[2009/08/13 17:18:25 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\temp

[2009/08/01 20:34:00 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\Template

[2009/01/26 11:39:43 | 000,000,000 | -H-D | M] -- C:\Users\Joey\AppData\Roaming\WildTangent

[2011/04/10 12:53:41 | 000,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\ProgramData\Temp:C39E55C5

@Alternate Data Stream - 98 bytes -> C:\ProgramData\Temp:88050731

@Alternate Data Stream - 137 bytes -> C:\ProgramData\Temp:0B174FAE

< End of report >

OTL Extras logfile created on: 4/10/2011 12:47:55 PM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Joey\Downloads

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 58.00% Memory free

6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 221.81 Gb Total Space | 131.10 Gb Free Space | 59.11% Space Free | Partition Type: NTFS

Drive D: | 11.07 Gb Total Space | 1.84 Gb Free Space | 16.59% Space Free | Partition Type: NTFS

Computer Name: PC | User Name: Joey | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"

https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DefaultOutboundAction" = 0

"DefaultInboundAction" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DefaultOutboundAction" = 0

"DefaultInboundAction" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DisableUnicastResponsesToMulticastBroadcast" = 0

"DefaultOutboundAction" = 0

"DefaultInboundAction" = 1

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{138B5450-4C96-4BED-BFD7-08C7773E5F2C}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{004560F7-B475-4BBD-9507-5F753DE5336F}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgh.exe |

"{0531245F-CE5C-41AD-866B-CB0507F99157}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |

"{0A81AABC-A4A4-45C7-A8F9-8FEB0ACC6F3E}" = dir=in | app=c:\program files\skype\phone\skype.exe |

"{100796A1-7B18-4EAC-8A85-464986B5364F}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |

"{1056A9EB-9AEF-423D-A5AB-95CD5D8594B8}" = dir=in | app=c:\program files\hp\digital imaging\smart web printing\smartwebprintexe.exe |

"{274B1869-1AC5-4EE4-9778-68DFECD4D9B6}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe |

"{278954AB-0341-4EA4-B2BE-0FDB923A3E8F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{27FF507C-4130-4818-905F-F140D2265B32}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qpservice.exe |

"{40E167FF-2BEB-4BFB-B95B-7920C2C37202}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |

"{455BAE4E-3285-4560-AEEE-6D55B7299B6A}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgpc01.exe |

"{48EDB95B-975F-402A-9153-033659B4C8E5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |

"{4ACCF0A0-FFF9-4A7E-B05B-0161700A561D}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qp.exe |

"{4E25719B-4ED0-42A3-A947-AFDDE5C10B72}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\jcarraro\counter-strike source\hl2.exe |

"{4EB689F6-A71B-4CB2-9F30-B38BABEE5CB5}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\jcarraro\counter-strike\hl.exe |

"{50A5C923-DCCB-4BB2-959C-25030F3AD799}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe |

"{50CF9CD6-27DC-49A2-9B5B-AC8258E3AF56}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |

"{633C23C1-E180-4435-B879-86E8F09E3218}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqusgm.exe |

"{65451B85-573A-4021-86F6-A8DE1257FC16}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |

"{65F14AA1-AF60-4D4C-A1D2-7C7F3937AFFE}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\jcarraro\counter-strike source\hl2.exe |

"{667EED53-EC5A-409D-B2F4-C10784E9EE95}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{6AFD34F4-98A6-434B-BDB6-0358D4626D38}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpoews01.exe |

"{6D660B72-0F18-46DC-A341-4E39881FC953}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |

"{80832013-E80F-4CBF-8EA7-C1C97FC81BAA}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe |

"{8166197E-D45B-455E-B227-B7461E24842D}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{81AD85DD-BFB2-4BCF-AC60-8354E36D831D}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{8923E19C-CD3E-4DD2-B45D-141836D149FE}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpfccopy.exe |

"{8D8F4BA6-350B-4212-8F17-EAE738919FD3}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

"{94F04209-F7A0-4D0E-B212-82FC232553B2}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\jcarraro\counter-strike\hl.exe |

"{9E5EB5F6-3FA3-4140-8D5F-F7CBA7EC04ED}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |

"{A21E0C99-91FF-42A8-AC74-A49EBA92CE9C}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |

"{A2C33326-5DE5-4541-9476-66E9D67A6810}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{A563C485-5F9A-4042-A805-F2A4E9EC30A0}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |

"{A6E81D29-9725-4667-8713-3BA1DE0088F3}" = dir=in | app=e:\setup\hpznui01.exe |

"{A850E0F1-DA8E-4577-86EE-94DEC577AFE6}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |

"{B41F0E3E-8BB4-4A47-94C6-7A69E40FD92D}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqgplgtupl.exe |

"{BF5D2D10-2C74-48CE-A3C4-0CF2360E9912}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\tsmagent.exe |

"{CC0733A0-E385-4D81-AE08-04AE03E08124}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |

"{D087B9FD-C457-4BAA-8120-6CE04C135336}" = dir=in | app=c:\program files\hp\hp software update\hpwucli.exe |

"{D7041F26-661A-49D6-BE18-8CFEFC1B2810}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpiscnapp.exe |

"{E235447C-BBBB-4E0B-A746-61F392AEF2D3}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{ED2F6774-FAD9-49A5-9EAF-961BD8ECD138}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |

"{F5A7BB30-C8CF-4C38-9303-9EB9EFC36A78}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |

"{F5B1ED72-C48C-4729-A910-2A9C21C007A4}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe |

"{F6953C82-51FE-4E76-96B2-1AD856167896}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |

"{FD7B8549-0A51-42E7-896B-17A98AD17A67}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\grand theft auto iv\rgsc\rgsclauncher.exe |

"TCP Query User{8CC0A8B6-A7AC-4BDD-AE37-512329B07075}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |

"TCP Query User{93FE2357-CAB3-40A8-91C3-39D776EC6DD4}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |

"TCP Query User{DE1D705F-F96E-44E8-B1E6-4E9C64FA28D6}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |

"TCP Query User{FE4516F3-C814-4B35-BFE5-EBA214082CEB}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |

"UDP Query User{00FE03C2-39D4-47AE-8FB4-A842F7314AB4}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

"UDP Query User{4C2BBC5D-BEBE-4C6A-8275-41F44208420E}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |

"UDP Query User{552ADAB7-F116-4EE5-8F3A-B108BA7006DB}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |

"UDP Query User{9DD41713-BFA3-4554-91AD-1F05B3C8ABB9}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{004B0DCB-4C60-465B-8F01-44B0A4111187}" = SlingPlayer

"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support

"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin

"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{06A1D88C-E102-4527-AF70-29FFD7AF215A}" = Scan

"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer

"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant

"{097CDB1E-07C9-40F1-9972-F0F9F3A287E4}" = Network

"{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}" = Norton 360 HTMLHelp

"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour

"{1458BB78-1DC5-4BC0-B9A3-2B644F5A8105}" = DeviceDiscovery

"{150B6201-E9E6-4DFB-960E-CCBD53FBDDED}" = HPProductAssistant

"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{1FDA5A37-B22D-43FF-B582-B8964050DC13}" = Microsoft Games for Windows - LIVE Redistributable

"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs

"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls

"{21829177-4DED-4209-AD08-490B3AC9C01A}" = Norton 360

"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant

"{24DF7221-644B-4C3A-A478-459502D40522}" = Backup

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox

"{294C633F-6933-4F86-A305-BFDF9FCE9EFF}" = HP User Guides 0116

"{296D8550-CB06-48E4-9A8B-E5034FB64715}" = Command & Conquer

Link to post
Share on other sites

Please see if the following scans will run. It looks like you have a rootkit running (although it hasn't hidden very well).

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Interesting that tdsskiller didn't run. That means that we will have to identify and fix the rootkit manually.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Make sure you see your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:
    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Click the Home tab > Power Off and shut down. Remove the USB drive and insert it back in your working computer and navigate to report.txt

Please note - all text entries are case sensitive

Copy and paste the report.txt for my review. Attach mbr.zip to your next reply (do not attach report.txt, instead copy/paste its contents).

Link to post
Share on other sites

What you have is most likely a new rootkit variant. To be honest, I doubt you will find someone having clean this in a few simple steps and I suspect most paid support will try a few steps by remote connection and then tell you its unfixable and just reinstall the operating system.

The proposed steps are quite easy to do, as long as you have the possibility to burn a CD, it looks more difficult than it is. :)

However, it is up to you, if you choose to take this somewhere else, just let me know and I'll request this topic to be closed.

Link to post
Share on other sites

But the latest series of instructions requires me to have another computer, which I don't have. I don't have "clean" computers laying around. Also, following this latest series of instructions does not "fix" my problem. So, after taking the time to try and locate a "clean" computer to do all this on, burn a cd, etc, etc, we still haven't fixed the problem. I realize this is free help but I need this virus off my computer pronto.

Is there a company that diagnosis and fix virus problems that you would recommend for me to take my computer to?

Thanks.

Link to post
Share on other sites

Sorry, I do not recommend paid support for the simple reason that most of it are rip-offs.

You can create the CD on your own computer without problems, as long as you can run the required steps. The instructions include the "clean computer" because often I use this for computers that cannot start up successfully.

Link to post
Share on other sites

Yeah, I think you are right. I will try this is the morning. I have been having techs from microsoft support remote in and try and fix it without any luck. Spent ALL day today working on it with them. I can't stress to you enough that it was ALL f-ing day!!! ALL DAY.

So yeah, tomorrow I will try. Thank you!!

Link to post
Share on other sites

You are welcome. :)

And no worries, I think I know what the problem is and if you create the CD as instructed, most likely we will be able to fix this without problems. If you browse to other topics I worked on, you'll see I'm not one to give up unless problems are resolved. Its not without a reason I am not a big fan of paid support. ;)

Link to post
Share on other sites

Well, I only got so far as burning the cd and installing the driver.sh to a USB drive. When I tried to boot the cd it did nothing but kick the cd out. Since I don't have a "clean" computer, I did all this from my infected profile. Interesting side note, I now have two infected profiles because Neeraj Nema from Microsoft Support swore up and down that creating a new profile would solve my problems. As soon as he created the new profile the virus popped back up with script errors and ads playing.

I have invested so much time with this problem and I feel like I am going backwards. I am so frustrated. I don't know what to do. I need my computer to be running smoothly. Is there anything else I can do? I'm desperate at this point.

Link to post
Share on other sites

In that case, lets doing this "blindfolded". First of all, we need to locate a clean copy of the file.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    volsnap.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Once I know where the other copies of the file are located, we can attempt a replacement.

Try also the following, although I'm not sure it will work.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


TDL::
c:\windows\system32\drivers\volsnap.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.