Vista Startup Problem

Hi Leppin,

You obviously have been downloading pirate copies of programs.
All of these MUST be removed before we can continue.
Also, if you have a legit copy of Windows...... why do you need a prohibited software crack which is used to avoid the Windows’ copy protection?

I will wait for your answers before proceeding.

 

With that in mind and looking at the reports, this is the conclusion i arrive at:

The offending software was found at: c:\Users\brian\downloads\windows xp crack\
I take it that you named the folder 'Windows XP crack' ?
as it wasn't actually installed on your system, i'm inclined to believe you.
Had it been found in the system32 folder ...... you couldn't have talked your way out of it.

As already pointed out by Match, the best course of action in these circumstances is to phone Microsoft and explain what has happened.
I've actually done this on 2 occasions and have found them very helpful and everything was sorted in less than a couple of minutes.

You can see our point though.... we have to abide by the law on these issues.

the MGADiag.exe report actually bares this out..... the copy of Vista is legit.
This is what we look for :
0 - Genuine
1- Not Genuine
6 - Unsupported
50 - Trial expired
It's one of the few times that getting a 0 is good news.

If you don't mind me saying ...... i believe that you acted in what you thought was the best interests of your cousin when trying to help, but you made a bad situation for yourself in taking the wrong course and acted rather silly.

The other issue is/was:

these are illegal downloads.

As i believe you over the prohibited software crack and the fact that you have removed the Nero illegal items from your system as shown in the last CKScanner report ( the remaining item is ok ... it's just a name that includes the word crack) i'm prepared to continue with the help.

Btw:
if you had tried to just remove the items from the report, i'd have been able to tell.
But you didn't, you were honest with your post.

I'm off out for an hour or so, but i'll prepare a fix based on the reports when i return.

 

Hi lepplin

Ok, let's get to work on this system.

Recommendation.

You have the following installed:
Spybot - Search & Destroy
Virgin Media Toolbar
Ask Toolbar

Spybot - Search & Destroy
Not really kept up to date with recent malware trends and doesn't offer enough protection anymore.
I recommend you uninstall it.

Virgin Media Toolbar
Ask Toolbar
Both of these are what we call Foistware and are both classed as 'Open to debate'.
Although they don't do anything bad, they are normally installed with other software and get installed without your knowledge.
If you don't particularly need them i recommend you uninstall them.

All these programs are to be found in your add/remove list.

Step 1
Double click on OTL to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

tl
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKCU..\RunOnce: [Shockwave Updater] File not found
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} http://downloads.vir...tainstaller.cab (Reg Error: Key error.)
O33 - MountPoints2\{9b33c039-fde6-11dd-aa5b-00219b29d339}\Shell - "" = AutoRun
O33 - MountPoints2\{9b33c039-fde6-11dd-aa5b-00219b29d339}\Shell\AutoRun\command - "" = K:\OblivionLauncher.exe
O33 - MountPoints2\{b15d1468-58e4-11de-b7ca-00219b29d339}\Shell - "" = AutoRun
O33 - MountPoints2\{b15d1468-58e4-11de-b7ca-00219b29d339}\Shell\AutoRun\command - "" = L:\CD_Start.exe
[2011/07/07 19:02:41 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{EB7F56D8-9DCE-4A4E-82DC-B48D2C6DAFF7}
[2011/07/06 20:49:14 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{7AE2636F-B03E-4703-84F0-C8C43AD1499D}
[2011/07/05 12:41:46 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{DC6B677E-BF7B-4674-9603-3F112C86892A}
[2011/07/04 12:14:48 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{785A1DE5-7B9C-4022-88F1-140589673408}
[2011/07/03 23:50:06 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{0FE11D4F-0869-4934-B065-E7645A0A7748}
[2011/07/01 22:01:02 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{6AFE1F50-BA8F-46C8-ABEA-9714A78AFFB1}
[2011/06/30 22:06:03 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{EAB53065-C293-4070-9FF6-0CAD3337B3A4}
[2011/06/30 05:50:46 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{E565B414-0295-4CDB-BC01-6DCB9297F7AC}
[2011/06/29 22:07:13 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{E0FAF8CF-AC90-455A-98A8-A19B3A7495D0}
[2011/06/28 22:54:12 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{E8E3D605-CB8B-4CA7-ADB7-9C203BA315A1}
[2011/06/28 06:42:18 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{F76495FC-A875-40B5-A743-6E4F57F13A8D}
[2011/06/27 17:57:22 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{ECEC4C86-56EE-4BA0-A0E4-F2B6CB940223}
[2011/06/27 10:42:35 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{C97FE130-8F26-467C-B23B-59583DE83D67}
[2011/06/26 22:42:10 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{F4544B0B-FC4B-4133-AE1F-74646DFF4ADA}
[2011/06/26 07:52:15 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{2C0D7B66-BA11-4B50-823E-65F56F4E4665}
[2011/06/25 16:30:16 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{54B617BE-8E77-4C36-A45A-FD16396F7395}
[2011/06/24 16:52:34 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{D596364A-1966-4225-9F99-5ECDCF79E2D3}
[2011/06/23 20:16:43 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{8900C41D-B70C-4851-9D82-D83540E26B88}
[2011/06/22 20:27:30 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{BAAEFF75-118F-4265-ADCD-F1289EE84B4B}
[2011/06/21 21:34:19 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{63A4990D-5C45-4A21-8057-53CE491EECD5}
[2011/06/21 06:57:34 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{7E9B256B-D52B-42BC-9F54-FEF2A7FE3F03}
[2011/06/20 10:22:45 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{063066DD-A741-40B6-AFA1-862F73A0B6BF}
[2011/06/18 23:28:40 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{8D16BC99-8279-441C-8513-751664768BB0}
[2011/06/18 06:44:49 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{960A2BB3-8741-4C4C-8552-8C4BEC471D15}
[2011/06/16 19:28:35 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{4472DFEE-7358-4EE2-BF8A-03BD76B295E0}
[2011/06/15 22:48:25 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{8815325A-8120-448C-8648-77D6234BB870}
[2011/06/15 06:44:37 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{3B65E02D-ECDF-4EF0-9DD3-36A73937EF0F}
[2011/06/13 23:00:02 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{A1D17B1C-FCE8-423E-98B8-FD7777F71D89}
[2011/06/13 07:38:49 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{4926499F-86D5-4819-B867-43630DBB3D42}
[2011/06/11 16:43:47 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{B361476B-3661-4D07-8531-C6F34B28ED78}
[2011/06/10 19:46:48 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{21E8A75A-8285-4341-AA01-3147435199A4}
[2011/06/10 07:13:13 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{C314FC7F-1A50-4A39-A0E8-FCD1B929B8E4}
[2011/06/09 07:02:00 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{A0024535-EF2D-45C2-B57D-A3E933B536BF}
[2011/06/08 07:23:53 | 000,000,000 | ---D | C] -- C:\Users\brian\AppData\Local\{27C03564-98B5-493B-9AA3-B4ACC807E57C}
@Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 198 bytes -> C:\ProgramData\TEMP282699C
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:CF2C26D2
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:2A8A3140
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:ABD3B354
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:45FE2B4E
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:331C7AE9
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:5425B7F5
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:27B99ED6
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4DBBB4EA
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:32ED0002
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:9C5E2795
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:940C4202

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]

• Return to OTL,
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
  
  .
  
• Click the red Run Fix button.
  
  
  
• OTL will reboot your system once the fix has completed.
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles



Step 2

• Click on Start
• Click on Computer
• Right click on your main drive (usually 'C')
• Select Properties
• Click on the Tools tab
• Under Error Checking.. Click Check Now
• Tick the options that you require ( I recommend that you tick both options )
• Click Start
• On the screen that comes up.. Click Yes then OK
• Now restart your computer.

Note: Be patient. Analyzing the drive can be a lengthy process



Step 3
I want you to run Combofix, but because you have Avast installed .... it may throw up a message asking to run it in sandbox.

Select run normally and tick the box to remember

Then click OK


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






This is an example, you may rename ComboFix to anything you want.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  
  Then:
  
  Double click on Combo-Fix.exe & follow the prompts.
  
  Vista/Win7 users should right click on the icon and select Run as Administrator.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  If running Vista/Win7, you will not see the recovery console screens
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please submit:
Otl fix report
Combofix.txt


Thanks.