I have norton corporate, yet a virus with a window "S.M.A.R.T Data Recovery" has installed - fix?

propinion · 20 May 2012 05:20

no I restarted exactly as you have said in safe mode with networking

Quads · 20 May 2012 05:22

You need to download OTL and create a log, so I will from that script and break the visable part of the infection.

Quads

propinion · 20 May 2012 05:43

I will talk you through everything that I have just done
1 open in safe mode with networking

2 SMART Data Recovery launched so I shut down restarted

3 Got to download OLT to desktop this time
4 Started up in normal mode - OLT did not appear on the desktop - screen went black SMART Data Recovery launched again so I shut down restarted back in safe mode with networking so I am back here now

If SMART Data Recovery launches should I just let it run it's course?

propinion · 20 May 2012 05:45

btw when it launched while in safe mode, it blocked my internet access

Quads · 20 May 2012 05:46

Run OTL in safe Mode with networking.

Quads

propinion · 20 May 2012 05:53

ok - scanning now!

propinion · 20 May 2012 06:04

I can tell you around what time happened if that helps? I was approx 6pm on Friday May 18

OTL logfile created on: 20/05/2012 4:04:31 PM - Run 1
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Documents and Settings\Roanna\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

502.96 Mb Total Physical Memory | 259.54 Mb Available Physical Memory | 51.60% Memory free
1.20 Gb Paging File | 0.97 Gb Available in Paging File | 81.14% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 5.67 Gb Free Space | 7.60% Space Free | Partition Type: NTFS

Computer Name: ROANNA-36A94C04 | User Name: Roanna | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 60 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2012/05/20 16:01:03 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Roanna\Desktop\OTL.exe
PRC - [2008/04/14 10:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/04/23 07:11:23 | 000,253,088 | -H-- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2011/09/14 21:06:38 | 000,169,624 | -H-- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor10.0)
SRV - [2009/09/01 12:15:50 | 000,116,664 | -H-- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2009/09/01 12:15:46 | 001,966,008 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/09/01 12:15:38 | 000,031,160 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2009/08/03 12:23:34 | 000,169,320 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2009/08/03 12:23:30 | 000,191,848 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2009/03/20 18:10:15 | 003,093,880 | -H-- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/12/17 14:21:08 | 000,214,408 | -H-- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2008/04/17 13:14:48 | 000,102,712 | -H-- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/07/26 18:25:20 | 001,181,016 | -H-- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/02/13 19:00:00 | 000,374,392 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/02/13 19:00:00 | 000,106,104 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/01/16 10:48:06 | 001,576,312 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120510.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/01/16 10:48:06 | 000,086,136 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120510.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/10/27 11:25:40 | 000,136,808 | -H-- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2011/10/27 11:25:40 | 000,121,064 | -H-- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadbus.sys -- (ssadbus) SAMSUNG Android USB Composite Device driver (WDM)
DRV - [2011/10/27 11:25:40 | 000,114,280 | -H-- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadserd.sys -- (ssadserd) SAMSUNG Android USB Diagnostic Serial Port (WDM)
DRV - [2011/10/27 11:25:40 | 000,030,312 | -H-- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadadb.sys -- (androidusb)
DRV - [2011/10/27 11:25:40 | 000,012,776 | -H-- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssadmdfl.sys -- (ssadmdfl) SAMSUNG Android USB Modem (Filter)
DRV - [2011/03/27 10:40:17 | 000,123,952 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/06/14 09:47:12 | 000,055,168 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2009/06/14 09:47:10 | 000,339,328 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2008/12/17 14:20:40 | 000,188,808 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2008/12/17 14:20:34 | 000,023,944 | -H-- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2008/05/02 10:58:14 | 000,020,864 | -H-- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2008/05/02 10:58:12 | 000,017,536 | -H-- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2007/07/26 18:25:18 | 000,400,216 | -H-- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/23 14:58:56 | 000,011,776 | -H-- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\..\SearchScopes,DefaultScope = {BE28C22E-F666-424d-B5FD-125C4AFEE34E}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\..\SearchScopes,DefaultScope = {61A20553-13A7-4CA5-A960-1F32B74F33B0}
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\..\SearchScopes\{61A20553-13A7-4CA5-A960-1F32B74F33B0}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Roanna\Application Data\Facebook\npfbplugin_1_0_3.dll ( )

Quads · 20 May 2012 06:07

I said in the OTl instructions,

An OTL.txt will be created. Attach it back here to a message

Quads

propinion · 20 May 2012 06:08

(this site would not let me post the text file as an attachment argh!!! so I've had to split it in three parts 2 below)

O1 HOSTS File: ([2012/05/19 17:04:08 | 000,000,886 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 93.113.196.124 www.google.com
O1 - Hosts: 93.113.196.125 www.bing.com
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [irMSTkFdIRNGS.exe] C:\Documents and Settings\All Users\Application Data\irMSTkFdIRNGS.exe ( )
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [EPSON Stylus CX5500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [KiesHelper] C:\Program Files\Samsung\Kies\KiesHelper.exe (Samsung)
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [KiesPDLR] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe ()
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background File not found
O4 - Startup: C:\Documents and Settings\Roanna\Start Menu\Programs\Startup\Samsung Auto Backup Guage.lnk = C:\Program Files\Clarus\Samsung Auto Backup\ISFGuage.exe (Clarus, Inc.)
O4 - Startup: C:\Documents and Settings\Roanna\Start Menu\Programs\Startup\Samsung Auto Backup Real-Time Daemon.lnk = C:\Program Files\Clarus\Samsung Auto Backup\ISFRealTimeD.exe (Clarus, Inc.)
O4 - Startup: C:\Documents and Settings\Roanna\Start Menu\Programs\Startup\Samsung Auto Backup Scheduler.lnk = C:\Program Files\Clarus\Samsung Auto Backup\ISFTimerD.exe (Clarus, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-682003330-1123561945-2147153767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www4.snapfish.com.au/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} https://portalsrvs.det.nsw.edu.au/vdesk/terminal/f5tunsrv.cab#version=6030,2009,514,2213 (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\DOCUME~1\Roanna\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab (F5 Networks Auto Update)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} https://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab (LogMeIn Rescue Applet Downloader)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://msnau.oberon-media.com/online2/MSN_INTL_AUSTRALIA/chuzzle/popcaploader_v6.cab (PopCapLoader Object)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://portalsrvs.det.nsw.edu.au/vdesk/terminal/urxhost.cab#version=6030,2009,514,2205 (F5 Networks Host Control)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.9.195.193 61.9.194.49
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{045D4957-ED8B-4D44-B11C-D565645E043C}: DhcpNameServer = 61.9.195.193 61.9.194.49
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/20 17:15:11 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{76667b4a-7a40-11dd-a050-00112576143e}\Shell - "" = AutoRun
O33 - MountPoints2\{76667b4a-7a40-11dd-a050-00112576143e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{76667b4a-7a40-11dd-a050-00112576143e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

propinion · 20 May 2012 06:09

(part 3 - thanks - do you need the "extras file also?)

[color=#E56717]========== Files/Folders - Created Within 60 Days ==========[/color]

[2012/05/20 15:44:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Roanna\Recent
[2012/05/20 15:36:11 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Roanna\Desktop\OTL.exe
[2012/05/20 15:16:48 | 000,069,088 | -HS- | C] (Ghisler Software GmbH) -- C:\Documents and Settings\Roanna\Application Data\dplaysvr.exe
[2012/05/20 12:58:04 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/05/18 17:28:41 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Start Menu\Programs\Data Recovery
[2012/05/08 17:02:42 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Application Data\Smmarks2
[2012/05/08 17:02:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SMPCS Apps
[2012/05/08 17:02:19 | 000,000,000 | -H-D | C] -- C:\Program Files\Smmarks2
[2012/04/25 10:34:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Desktop\ro pics 2012 march head
[2012/04/24 22:56:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Desktop\New Folder
[2012/04/24 16:22:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Desktop\TOYOTA TRIVIA SOUND QUESTIONS
[2012/04/24 08:21:07 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/04/24 08:18:48 | 000,000,000 | -H-D | C] -- C:\Program Files\iPod
[2012/04/24 08:18:21 | 000,000,000 | -H-D | C] -- C:\Program Files\iTunes
[2012/04/24 06:20:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\My Documents\My Albums
[2012/04/19 10:27:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Desktop\singing practice backing songs 2012
[2012/04/19 10:10:11 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Free M4a to MP3 Converter
[2012/04/19 10:10:03 | 000,000,000 | -H-D | C] -- C:\Program Files\Free M4a to MP3 Converter
[2012/04/19 09:47:52 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Roanna\Application Data\vlc
[2012/04/19 09:46:15 | 000,000,000 | -H-D | C] -- C:\Program Files\VideoLAN
[2012/04/18 21:50:21 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Roanna\Start Menu\Programs\Administrative Tools
[2012/04/02 06:55:20 | 000,418,464 | -H-- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/03/25 10:18:51 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Minidump
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Roanna\My Documents\*.tmp files -> C:\Documents and Settings\Roanna\My Documents\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 60 Days ==========[/color]

[2012/06/14 23:07:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D3A97F3F-D2EA-4592-8A59-B55B37F0567F}.job
[2012/05/20 16:01:03 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Roanna\Desktop\OTL.exe
[2012/05/20 15:48:19 | 000,013,646 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/20 15:47:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/20 15:20:33 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\effcabafaedct.exe
[2012/05/20 15:20:04 | 000,000,855 | -H-- | M] () -- C:\Documents and Settings\Roanna\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
[2012/05/20 15:16:42 | 000,372,224 | ---- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\lWJuExPgDuPCqd.exe
[2012/05/20 15:16:33 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/19 17:04:17 | 000,069,088 | -HS- | M] (Ghisler Software GmbH) -- C:\Documents and Settings\Roanna\Application Data\dplaysvr.exe
[2012/05/19 17:04:13 | 000,041,952 | -HS- | M] () -- C:\Documents and Settings\Roanna\Application Data\dplayx.dll
[2012/05/18 19:06:17 | 000,000,830 | -H-- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/18 17:41:38 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-xOU7uamqiK8LTQ
[2012/05/18 17:41:37 | 000,000,160 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-xOU7uamqiK8LTQr
[2012/05/18 17:31:09 | 000,000,837 | -H-- | M] () -- C:\Documents and Settings\Roanna\Desktop\Data_Recovery.lnk
[2012/05/18 17:28:05 | 000,000,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\xOU7uamqiK8LTQ
[2012/05/18 17:27:10 | 000,267,264 | -H-- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\xOU7uamqiK8LTQ.exe
[2012/05/18 17:02:06 | 000,379,392 | -H-- | M] ( ) -- C:\Documents and Settings\All Users\Application Data\irMSTkFdIRNGS.exe
[2012/05/14 20:00:00 | 000,000,738 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Roanna.job
[2012/05/11 16:15:03 | 000,637,716 | -H-- | M] () -- C:\Documents and Settings\Roanna\My Documents\SPONSORSHIP LETTER FOR T-SHIRTS.pdf
[2012/05/08 18:51:56 | 000,000,069 | -H-- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/05/01 21:34:27 | 000,823,446 | -H-- | M] () -- C:\Documents and Settings\Roanna\Desktop\livatone.pdf
[2012/04/24 08:21:08 | 000,001,542 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/23 21:38:25 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2012/04/23 07:11:22 | 000,418,464 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/23 07:11:22 | 000,070,304 | -H-- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/19 10:10:12 | 000,000,740 | -H-- | M] () -- C:\Documents and Settings\Roanna\Desktop\Free M4a to MP3 Converter.lnk
[2012/04/19 10:10:12 | 000,000,735 | -H-- | M] () -- C:\Documents and Settings\Roanna\Desktop\My Music Tools.lnk
[2012/04/19 09:47:34 | 000,000,719 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/04/16 23:07:36 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/14 09:07:27 | 000,001,729 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/04/01 16:52:13 | 000,435,612 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/01 16:52:13 | 000,068,508 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/03/26 17:04:11 | 000,014,050 | -H-- | M] () -- C:\Documents and Settings\Roanna\Desktop\ro ro 6.jpg
[2012/03/22 14:54:44 | 000,301,232 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Roanna\My Documents\*.tmp files -> C:\Documents and Settings\Roanna\My Documents\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/05/20 15:20:04 | 000,000,855 | -H-- | C] () -- C:\Documents and Settings\Roanna\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
[2012/05/20 15:19:02 | 000,372,224 | ---- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\lWJuExPgDuPCqd.exe
[2012/05/20 15:16:56 | 000,086,016 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\effcabafaedct.exe
[2012/05/20 15:16:48 | 000,041,952 | -HS- | C] () -- C:\Documents and Settings\Roanna\Application Data\dplayx.dll
[2012/05/18 19:54:38 | 000,800,240 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/05/18 17:41:37 | 000,000,160 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-xOU7uamqiK8LTQr
[2012/05/18 17:41:35 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-xOU7uamqiK8LTQ
[2012/05/18 17:31:09 | 000,000,837 | -H-- | C] () -- C:\Documents and Settings\Roanna\Desktop\Data_Recovery.lnk
[2012/05/18 17:27:35 | 000,000,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\xOU7uamqiK8LTQ
[2012/05/18 17:27:10 | 000,267,264 | -H-- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\xOU7uamqiK8LTQ.exe
[2012/05/18 17:04:52 | 000,379,392 | -H-- | C] ( ) -- C:\Documents and Settings\All Users\Application Data\irMSTkFdIRNGS.exe
[2012/05/11 16:14:59 | 000,637,716 | -H-- | C] () -- C:\Documents and Settings\Roanna\My Documents\SPONSORSHIP LETTER FOR T-SHIRTS.pdf
[2012/05/01 21:34:26 | 000,823,446 | -H-- | C] () -- C:\Documents and Settings\Roanna\Desktop\livatone.pdf
[2012/04/24 08:21:08 | 000,001,542 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/04/19 10:10:12 | 000,000,740 | -H-- | C] () -- C:\Documents and Settings\Roanna\Desktop\Free M4a to MP3 Converter.lnk
[2012/04/19 10:10:12 | 000,000,735 | -H-- | C] () -- C:\Documents and Settings\Roanna\Desktop\My Music Tools.lnk
[2012/04/19 09:47:33 | 000,000,719 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/04/02 06:55:21 | 000,000,830 | -H-- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/03/26 17:04:10 | 000,014,050 | -H-- | C] () -- C:\Documents and Settings\Roanna\Desktop\ro ro 6.jpg
[2012/03/01 08:40:27 | 000,003,072 | -H-- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/25 16:11:53 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/07 14:40:12 | 000,002,048 | -H-- | C] () -- C:\Documents and Settings\Roanna\Application Data\PhotobookShop.com.au Prefs
[2011/05/03 16:17:13 | 000,000,029 | -H-- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2011/03/27 10:59:30 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\vpc32.INI
[2011/03/02 22:57:44 | 000,030,568 | -H-- | C] () -- C:\WINDOWS\MusiccityDownload.exe
[2011/03/02 22:57:40 | 000,974,848 | -H-- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2011/03/02 22:57:40 | 000,081,920 | -H-- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2011/03/02 22:57:40 | 000,065,536 | -H-- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2011/03/02 22:57:40 | 000,057,344 | -H-- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2011/01/05 09:57:53 | 000,001,940 | -H-- | C] () -- C:\Documents and Settings\Roanna\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2

< End of report >

Quads · 20 May 2012 06:11

I said in the OTl instructions,

An OTL.txt will be created. Attach it back here to a message

How do you sent a photo to someone via Email??

Quads

propinion · 20 May 2012 06:21

it says "please correct the highlighted errors"
"The attachment's content type (application/octet-stream) does not match its file extension
...sorry I am following your instructions

propinion · 20 May 2012 06:24

I'm not a complete baffoon - but its very hard to do something when it won't let me!!

propinion · 20 May 2012 06:26

Do you have a solution for that to be able to upload the file?

Quads · 20 May 2012 06:37

The OTL.txt is a .txt file that can be attached in forum messages, many people have done it before

under Copy and paste the custom script attached which you open in for instance Notepad,(include the : at the start of :OTL and all the way to the end / bottom) and run the script. (Red Run Fix Button)

The output log, should be placed in the C:\ _OTL folder after.

Quads

propinion · 20 May 2012 06:51

ok did everything as you said -

inserted the script into the custom scans/fixes and pressed the Run Fix button
It has come up with a window that says
The system requires a reboot to finish removing files
click ok to reboot now

umm was this supposed to happen?

thanks

propinion · 20 May 2012 06:55

btw - obviously haven't pressed ok without instruction!

Quads · 20 May 2012 06:59

Hmmmmm, leave that as it is open and waiting to the side.

Better check something first. Download this program http://www.bleepingcomputer.com/download/unhide/ and run it.

Quads

propinion · 20 May 2012 07:06

argh downloaded started running - CMD box opened up and then eerror message came through saying

"Windows - Drive Not Ready"
" Exception Processing Message c00000a3 Paramteres etc"
Do I

Cancel / Try Again / Continue ?

propinion · 20 May 2012 07:08

being good and not doing anything without instruction!

I have norton corporate, yet a virus with a window "S.M.A.R.T Data Recovery" has installed - fix?

Announcements