Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

Windows Vista Recovery Virus

This is a discussion on Windows Vista Recovery Virus within the Inactive Malware Help Topics forums, part of the Tech Support Forum category.

Thread Tools Search this Thread
Old 05-29-2011, 04:24 PM   #1
Registered Member
Join Date: May 2011
Posts: 1
OS: Windows Vista Home Basic Service Pack 2

My mother-in-law had/has the Windows Vista Recovery Virus on her PC. I may have gotten rid of it but I'm not positive. I tried a solution from another site, but I'm not positive that it is gone. She was getting many popups about Harddrive failing, memory full files missing and the usual. I used Ccleaner and SuperAntispyware software to try and get rid of the virus, I was in safemode when i used them. The only problem I had on last bootup was that HP Advisor was still having trouble loading I just canceled it in Taskmanager. So could you possibaly take a look and see if I got rid of the virus for her?

Thanks in advance
Mark Brown

DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Harris at 16:31:00 on 2011-05-29
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2036.1133 [GMT -4:00]
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\GamesBar\SearchEngineProtection.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Oberon Media\Parts\\OberonParts.exe
C:\Program Files\Internet Explorer\iexplore.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/?r70=1306700739
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - c:\program files\gamesbar\\oberontb.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - c:\program files\gamesbar\\oberontb.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] F:\SUPERAntiSpyware.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki...
IE: {B30BFFB6-FA8C-4853-9F25-1CAB725ECE8D} - c:\program files\pokerstars.fox\PokerStarsUpdate.exe
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\\oberontb.dll
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} - hxxp://zone.msn.com/bingame/mosi/default/msi.
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {61900274-3323-4446-BDCD-91548D32AF1B} - hxxp://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://www.worldwinner.com/games/v42/tilecity/tilecity.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://clubgames.pogo.com/online2/pogo/zenerchi/ZenerchiWeb.
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v53/wwspades/wwspades.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
============= SERVICES / DRIVERS ===============
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-14 135664]
S3 13040;13040;c:\windows\system32\drivers\13040 [2011-4-25 9072]
S3 17473;17473;c:\windows\system32\drivers\17473 [2011-5-29 9072]
S3 28258;28258;c:\windows\system32\drivers\28258 [2011-5-28 9072]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-14 135664]
S3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [2009-2-15 408064]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-05-29 18:31:10 -------- d-----w- c:\users\harris\appdata\roaming\SUPERAntiSpyware.com
2011-05-29 18:31:10 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-29 16:46:53 -------- d-----w- c:\windows\pss
2011-05-14 14:13:21 -------- d--h--w- c:\users\harris\appdata\roaming\playmink
2011-05-14 14:08:21 -------- d-----w- c:\program files\Hobby Farm
2011-05-11 13:45:38 -------- d-----w- c:\program files\Fishdom
2011-05-11 13:33:15 -------- d--h--w- c:\users\harris\appdata\roaming\Orneon
2011-05-11 13:31:36 -------- d-----w- c:\program files\Relics of Fate - A Penny Macey Mystery
2011-05-11 12:02:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-11 11:53:20 -------- d--h--w- c:\programdata\Alawar Stargaze
2011-05-11 10:44:43 -------- d-----w- c:\program files\Fishdom - Spooky Splash
2011-05-10 10:30:08 -------- d-----w- c:\program files\Hidden in Time - Looking glass Lane
2011-05-10 09:47:23 -------- d--h--w- c:\programdata\The Game Equation
2011-05-10 00:34:28 -------- d-----w- c:\program files\Snark Busters - All Revved up
2011-05-07 22:25:37 -------- d-----w- c:\program files\Mahjongg Dimensions Deluxe
2011-05-04 22:57:39 -------- d--h--w- c:\users\harris\appdata\roaming\Playrix Entertainment
2011-05-04 22:55:39 -------- d-----w- c:\program files\Fishdom H2O - Hidden Odyssey
2011-05-04 20:29:37 -------- d--h--w- c:\users\harris\appdata\roaming\Big Fish Games
2011-05-04 20:28:13 -------- d-----w- c:\program files\Mystery Case Files - Dire Grove
2011-05-04 20:21:24 -------- d--h--w- c:\programdata\Big Fish Games
2011-05-04 20:21:19 -------- d-----w- c:\program files\bfgclient
2011-05-04 20:19:39 -------- d-----w- C:\BigFishGamesCache
2011-04-29 22:49:37 -------- d--h--w- c:\programdata\FarmFrenzy_Rome
==================== Find3M ====================
2011-05-29 13:05:38 9072 ----a-w- c:\windows\system32\drivers\17473
2011-05-28 23:08:12 9072 ----a-w- c:\windows\system32\drivers\28258
2011-04-25 11:00:05 9072 ----a-w- c:\windows\system32\drivers\13040
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:35:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
============= FINISH: 16:32:07.86 ===============
Attached Files
File Type: zip ark.zip (742 Bytes, 4 views)
File Type: zip Attach.zip (3.4 KB, 6 views)
mbrown1967 is offline  
Old 05-30-2011, 03:26 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
chemist's Avatar

Microsoft Most Valuable Professional
Join Date: Oct 2007
Location: Georgia
Posts: 28,349
OS: XP/Win7/Win10

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.


Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed. Let me know your intentions for an antivirus program.


Please uninstall the following via the Programs and Features section of your Control Panel if they still exist:

LiveUpdate (Symantec Corporation)



We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Programs and Features in your Control Panel.


I see you have Weatherbug Gadget installed on your system. This application is not spyware but is ad-supported, containing both banner and pop-up ads. Please read here

Although this is entirely up to you, we recommend uninstalling it and downloading an ad-free alternative from here or here


Please go to: VirusTotal
  • Click the Browse button.
  • Please copy/paste the following bolded text into the 'File name:' box:


  • Click Open then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already submitted: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 06-03-2011, 12:51 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
chemist's Avatar

Microsoft Most Valuable Professional
Join Date: Oct 2007
Location: Georgia
Posts: 28,349
OS: XP/Win7/Win10

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Lets try this one more time
Hello, Randomly after I start my computer (I'm probably connected to the internet too) windows shoots up "Generic Host for Win32 processes has encountered an error and needs to close". After that I receive svchost.exe - Application Errors (The instruction at "0x001a6f64" referenced memory at...
TheCommonUser Inactive Malware Help Topics 21 06-12-2011 11:10 AM
Windows Expplorer /Dr Watson debugger crashes + BSOD
Hi A while ago I had a virus/malware problem which was then resolved. The problem caused by Windows explorer to crash and gave me a BSOD when I tried to log in http://www.techsupportforum.com/forums/f100/bsod-after-removing-virus-544372.html Then just a couple of hours ago I had google...
catdog7 Resolved HJT Threads 68 05-13-2011 10:04 AM
Computer infected with malware;possibly a virus.
I performed a scan with Avira. It located two things: EXP/Javi.B and TR/Trash.Gen I also performed a Malwarebytes scan.It found Trojan.Hiloti The malware disabled my entire computer sound system. It takes literally 5 minutes to launch either of my browsers.I have IE8 & Firefox. The only way I...
fanny1234 Inactive Malware Help Topics 34 05-07-2011 08:49 PM
Fake Windows Security Program has infected my computer! Please help me remove it!
i was simply browsing the web, and when I hit a link this Windows Security scanner program popped up with several different pop ups and tried telling me my computer was infected with all these particular files. I didn't subscribe to it or anything I just clicked out of it. Now, my computer...
flip25 Inactive Malware Help Topics 4 04-12-2011 12:23 PM
Plug and Play Causes Services to run 100%
About i week ago I booted my computer and noticed that it was running extremly slow. I opened task manager and found that services.exe was running up my CPU. After going through msconfig and using trial and error, i found that it wouldn't drive it up if i had Plug and Play unchecked. So my...
logicalman Resolved HJT Threads 46 02-09-2011 05:51 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Post a Question

» Site Navigation
 > FAQ

All times are GMT -7. The time now is 06:26 AM.

Copyright 2001 - 2015, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts


Partially Powered By Products Found At Lampwrights.com