'Tray' error - please help

Solved
By mummyal
Apr 22, 2010
Topic Status:
Not open for further replies.
  1. Hi there

    Didn't think I'd be back this soon lol. You very kindly helped me with my Google redirect problem not too long ago.

    The pc has been working fine and all of a sudden, when I switched it on this morning, an error message box popped up -- "Tray has encountered a problem and needs to close. We are sorry for the inconvenience".

    The desktop screen took a while to load before that and I did think then that something didn't seem quite right. After closing the error box, I noticed that the bottom taskbar looked a bit different (ie basic). The first thing I did was to try and save/transfer my photos to my external hard drive but it wouldn't let me. I used Windows Explorer. I've also just tried saving them on to a CD but that doesn't seem to be working either. Tried to do a scan with McAfee and even that doesn't start up.

    I can't connect to the internet - when I double-click on the IE icon, nothing happens. Outlook Express isn't working either.

    I've just done a quick search (using hubby's laptop) and haven't found many results abt it. One did say to download MBAM etc, save it on to a CD or flash drive (I can't find my flash drive, so have used CD) and then install it that way.... but even that doesn't work!

    Help!! Thanks.

    Alice
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Alice, can you get in to the machine at all? You're telling us that things 'don't work' but not what's happening. Are you getting error messages? What do they say?

    There are a number of "tray" errors similar to the one you've mentioned but if it refers to only "tray", then it could also be a malware program known as "tray.exe". In that case, you will need to follow the steps we have set up for preliminary removal of virus and malware HERE.

    And if you cannot connect to the internet, you will have to go find-and use- the flash drive to download the programs. You may have to use Safe Mode initially if you cannot get into the system in normal mode.
  3. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Hi Bobbye

    Thanks for your reply.

    Yeah, it only refers to 'tray'. I can get into the machine. Whenever I click on the IE icon, nothing happens. When I click on my Outlook Express icon, I get the Inbox etc screen but I can't send/receive emails. I can open Windows Explorer, look at my files/photos but when I try and copy the photos on to my external hard drive (or even on to a CD), it won't let me do that. The CD drive doesn't seem to be working.

    The only error message which I am getting is the one I have mentioned about Tray and this appears after the start-up screen etc, ie once I'm on the desktop screen. I have also clicked to see what sort of data is in this 'error report' (I can't even send it) and one of the things which I recognise is Barbie/Mattel. My daughter has a Barbie MP3 player. She has had it for about 2 yrs now and it hasn't given us any problems so far.

    I will go through the 8-step removal process soon. I can't find my memory stick at the moment, so might have to go and buy another one tomorrow. Hopefully the USB port will work, seeing that the CD drive isn't working.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Try doing this: once in Windows Explorer> click in My Computer> Double click on Local Drive (C)> Programs> find and click the program words 'Internet Explorer'> On the right screen look for and click on iexplore.exe .

    If IE will launch from here, you won't need to use a flash drive. I had a mysterious system problem a while back and IE wouldn't launch in the normal ways. I tried doing this in Windows Explorer and it worked. I ran the system through the Error Checking and it fixed the problem.
  5. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Logs

    I can't get in that way either :(.

    At least the USB port's working, so have just managed to go through the 8-steps via the flash drive (well, except MBAM).

    When I tried to set up MBAM (from memory stick), a msg box popped up saying 'Run-time error 372. Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application. So, am unable to run it as can't connect to the internet using my pc.

    Here are the other logs as requested. I've had to attach them as they are too long.


    On another note re: the 'Tray' error, I have made a note about the error report/details. Don't know if it will be of any help to you or not but here are the details:

    Error signature:
    EventType: clr20r3
    P1: mattel.barbiegirls.tray.exe
    P2: 1.0.0.0
    P3: 45f8b689
    P4: mattel.barbiegirls.tray
    P5: 1.0.0.0
    P6: 45f8b689
    P7: f
    P8: 2
    P9: pszqoadhx1u5zahbhohghldgiy4qixhx

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Thank you. The Source for this error is usually the .NET Runtime 2.0 Error Reporting. So I have the following suggestions:

    1. Make sure the .NET Runtime is properly updated.
    2. Take the Barbie program off of startup. It can be started at any time through All Programs.
    3. Check the Matel site and see if there is any update for the Barbie program or player.

    See if that works.

    You might enjoy this comment I found from a dad whose daughter has this program:
    But that's pretty drastic! Updating and taking off of startup should accomplish the same thing.If everyone's log looked as clean as yours, I'd be out of a volunteer job! If the problem does persist or you notice other possibly malware-related problems, let me know and I'll set up Combofix for you to run.
  7. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    lol. I did try uninstalling it but it wouldn't let me! :mad: Tried to uninstall it via the 'uninstall' option on the start up bar and also via Control Panel (add/remove program) but no luck with both.

    How do you take the program off start-up? And where can I get the update for .NET Runtime?

    I have also attached a HJT log. I don't know whether it's the most recent version or not (downloaded it 2-3 mths ago I think?) but just wondering whether it might be helpful?

    I can't even copy photos over on to the flash drive. Doesn't give me that option.

    Argh! Thanks for your help so far.

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    This is a different system than the Toshiba laptop Broni helped you with last month. If the current HijackThis log you left is for this system, it appears that it is 64bit operating system- either that or you have all the Services turned off- in which case, nothing would work!

    To take a program off of the Startup Menu: This is not the same as uninstalling. I just want you to take Barbie off of Startup for now, not uninstall it.

    Please reopen HijackThis to 'do system, scan only' Check the following processes if present:
    O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
    Close HJT and click on "Fix Checked

    Please run the online Eset AV scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please paste the log in to the next reply. After I see that, I'll determine where to go next. This should stop the Barbie tray problem for now. But there is an autostarting entry in the log to be removed. So I'd like you to submit it for identification:

    Suspicious file(s) to scan: > browse or upload.

    Shell=Explorer.exe rundll32.exe nnrs.gqo eejli

    http://www.virscan.org/

    1, You can UPLOAD any files, but there is 20Mb limit per file.
    2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
    3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

    Please leave both the Eset log and the VirCAN log.

    I will answer your questions after I see what we're dealing with.
  9. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    No, the HJT log I posted is for my pc which I'm currently seeking help for. I still had the HJT programme installed on there.

    I have managed to remove the program from the start-up bar. Also, I've removed the 04 entry found on the log and restarted my machine ... and the 'tray error' message didn't pop up (a good start I suppose?).

    Unfortunately, I can't run the ESET or upload the suspicious file to virscan.org as I can't connect to the net on my ill pc. I have tried to search for the file as well but the search function isn't working. I did think that 'shell=explorer.exe' thing looked a bit suspicious coz firstly, it wasn't there before and there're funny letters at the end.

    Another thing I should mention is that I can't add anything to my desktop either. At the moment, the only things which are working (when I click on the icons on my desktop) are HJT and Spybot.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You did not answer my question about whether your operating system is 64bit. I need to know that because some programs won't run on the 64bit machines.

    But it does appear that the tray error was due to the program being on Startup.

    The following is basic info as I can't go further until I know about the 64bit.
    Don't try to add anything to your desktop unless you are doing a download with 'save to the desktop.' If you cannot even do that, when to click on the SAVE button, change the location to My Documents in the top box that says 'Save in' or Location.

    Most users have the desktop set for the saves as a matter of convenience, but that can easily be changed.
  11. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Sorry abt that. How do I find out whether or not my operating system is 64bit? Am not very savvy when it comes to technical bits like this.
     
  12. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Right, I've just Googled to find out how to do it. I've clicked on Start/Programs/Accessories/System Tools/System Information but it's not coming up with anything. Is there another way?

    Even when I try and get into McAfee/Skype/etc from the 'Start' bar (or the icons on desktop), they don't work.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Do me a favor please. If you have something to add or change in a reply and there is no post after it, use the Edit feature instead of generating a new reply. I get email feedback for each reply and it can get overwhelming!

    An easier way to get the information is: Control Panel> System. Most of if will be on that screen that opens. If you cannot tell, please give me the computer information and I'll look it up. I think you would know if you got 64 bit.

    If you did not-Then I ask if you did anything to the Services? Have you ever gone into the Computer Management and done anything? Or have you used the msconfig utility> Services tab to uncheck the Services?

    What I see in the log appears to be a listing of ALL of the Services, most show 'unknown owner and file missing. When HJT this is run on a 64bit system, the scan comes out like that, but I don't see any other evidence of possible 64 bit. So IF you have the more common 32bit of Windows XP, then there is a big problem with the Services!

    The McAfee Services are running and okay, so is LightScribe, Java, Intel and some others. But normally HJT does not display all of these Services. If you have changed the Startup type for what I see, then that's why you can't do anything on your system. I can have to enable those Services again if needed, but I have to know why I'm seeing this- what is causing it.
  14. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Many apologies for posting so many replies.

    I have the System Properties screen up and all it says is Microsoft Windows XP/Media Center Edition/Version 2002/Service Pack 3.

    As to whether I did anything to Services/Computer Management, I would say no because I wouldn't usually touch these things as I have no idea about things like that.

    I am quite puzzled as to how come I seem to have got this problem literally 'overnight'. The pc was working absolutely fine a few hours before (I shut down at midnight and switched it on again the next morning).

    Edited to add:
    OMG !! I've sorted the problem out now!!! I was talking to a friend about this today and she mentioned that she read a little article in the papers about McAfee's antivirus update had caused lots of computers to crashed but mainly to do with corporate/business users -- and the update happened on Wed 21/4 and the 'crash' happened on Thurs morning. I checked up on it but didn't think it was what I had coz I didn't have the 'Svchost.exe' error box pop up. But the more I read, the more I thought it might be it (taskbar missing, explorer not working etc) and McAfee's website had a "fix-it" article and I decided to go for it -- and hallelujah, it has worked !! It's to do with the 5958.DAT file.

    Everything seems to be back to normal now. Just want to say THANK YOU VERY MUCH for your help and effort in helping me with this problem. Thank goodness I spoke to my friend about it. If not, I think we wld still be going round in circles!
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I posted this on this board 3 days ago: Too bad you didn't see it.

    McAfee Update Causes Problems: http://www.techspot.com/vb/topic146223.html

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Check and make sure GRME and DDS are removed. I'm not sure OTCleanIt is removing them.

    Glad to help- sorry we didn't get our heads together. Let me know if you need help in the future.
  16. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    I couldn't run Combofix as didn't use it in the first place. Have run OTCleanIt and seems to have cleaned everything up.

    Upon rebooting, another error box popped up saying 'Error loading nnrs.gqo. Specified module could not be found.' Clicked ok and that was that. I then went back to one of your earlier replies re: uploading suspicious file to virscan.org - but it just said file not found. I googled 'nnrs.gqo' and there was only one result: http://www.superantispyware.com/malwarefiles/NNRS.GQO.html

    Shd this entry therefore be removed/fixed on the HJT log?
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I got 155 results in a search for nnrs.gqo. NNRS.GQO - Trojan.Agent/Gen-FakeAlert

    HijackThis can't remove this entry because it is auto-starting from the Registry.
    F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe nnrs.gqo eejli

    When you posted the update about the MCAfee problem, I was under the impression that your problem had been resolved- that's why I had you remove the cleaning tools. I usually ask for Combofix, then the Eset scan following, but I never got it in. It would be my preference for you now to run Combofix first, then the Eset scan and leave the 2 logs.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Since you couldn't run the Eset online AV scan I requested in Post #8 at that time, you can try it now. If you still can't run it, use this one instead:

    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
  18. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    I thought the problem was resolved too as it didn't show up at first.

    I could only disable the Firewall on McAfee but not the antivirus part. They seem to have updated their application/software as before, when I right-clicked on their icon, there was a disable option but not anymore.


    Here are both Combofix & Eset logs.


    ComboFix 10-04-21.01 - Compaq_Administrator 26/04/2010 9:36.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1491 [GMT 1:00]
    Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\TEMP\logishrd\LVPrcInj01.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
    .

    2010-04-25 12:35 . 2008-04-14 00:12 14336 ----a-w- c:\windows\system32\svchost.exe
    2010-04-16 18:26 . 2010-01-05 17:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-04-16 18:26 . 2010-01-05 17:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-04-16 18:26 . 2010-01-05 17:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2010-04-16 18:26 . 2010-01-05 17:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-04-16 18:26 . 2010-01-05 17:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2010-04-16 18:26 . 2010-01-05 17:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-04-16 18:26 . 2010-01-05 17:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-26 08:44 . 2010-02-15 22:37 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
    2010-04-26 08:44 . 2010-02-24 13:56 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
    2010-04-25 15:50 . 2009-08-25 20:08 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Skype
    2010-04-25 15:04 . 2009-08-25 20:11 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\skypePM
    2010-04-25 12:37 . 2009-02-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-04-24 07:59 . 2006-11-22 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-04-23 09:55 . 2010-02-13 16:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-22 15:32 . 2010-03-19 12:29 -------- d-----w- c:\program files\Coupon Printer
    2010-04-17 07:07 . 2009-05-05 19:32 -------- d-----w- c:\program files\McAfee.com
    2010-04-16 18:31 . 2006-11-21 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-16 18:31 . 2009-05-05 19:32 -------- d-----w- c:\program files\McAfee
    2010-04-16 18:30 . 2009-05-05 19:32 -------- d-----w- c:\program files\Common Files\McAfee
    2010-04-07 08:08 . 2006-09-08 01:59 -------- d-----w- c:\program files\Google
    2010-03-29 23:46 . 2010-02-13 16:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 23:45 . 2010-02-13 16:53 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-19 12:29 . 2010-03-19 12:29 31 ---ha-w- c:\windows\UKCpInfo.sys
    2010-03-11 12:38 . 2004-08-09 21:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2009-07-10 22:14 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-08-09 21:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 11:09 . 2004-08-09 21:00 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-24 13:11 . 2004-08-09 21:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-16 14:08 . 2004-08-09 21:00 2146304 ------w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2004-08-10 04:00 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
    2010-02-15 08:41 . 2005-06-16 22:33 246784 ----a-w- c:\windows\system32\drivers\iaStor.sys
    2010-02-13 23:50 . 2010-02-13 23:50 503808 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2f30c1ea-n\msvcp71.dll
    2010-02-13 23:50 . 2010-02-13 23:50 499712 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2f30c1ea-n\jmc.dll
    2010-02-13 23:50 . 2010-02-13 23:50 348160 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2f30c1ea-n\msvcr71.dll
    2010-02-13 23:50 . 2010-02-13 23:50 61440 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25413e57-n\decora-sse.dll
    2010-02-13 23:50 . 2010-02-13 23:50 12800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-25413e57-n\decora-d3d.dll
    2010-02-13 23:50 . 2009-09-13 11:53 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-02-13 22:41 . 2010-02-13 22:41 52224 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-13 22:41 . 2010-02-13 22:41 117760 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-12 10:03 . 2010-02-24 12:56 293376 ------w- c:\windows\system32\browserchoice.exe
    2010-02-12 04:33 . 2004-08-09 21:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2004-08-09 21:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2006-12-19 10:50 . 2006-12-19 10:50 22 -csha-w- c:\windows\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [16/04/2010 19:26 82952]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 08:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 74480]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [28/10/2008 16:42 156968]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [05/05/2009 20:34 93320]
    R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [16/04/2010 19:26 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [16/04/2010 19:26 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [16/04/2010 19:26 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [16/04/2010 19:26 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [16/04/2010 19:26 55456]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [16/04/2010 19:26 312584]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [16/04/2010 19:26 88480]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 22:51 135664]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [16/04/2010 19:26 88480]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [16/04/2010 19:26 83496]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 7408]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder

    2007-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 14:21]

    2010-04-26 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 17:57]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.virginmedia.com/
    mStart Page = hxxp://www.google.com
    uSearchAssistant = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
    IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    Trusted Zone: hmv.co.uk
    Trusted Zone: hmv.com
    DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
    DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} - hxxp://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-26 09:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(5380)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\windows\eHome\ehmsas.exe
    c:\windows\system32\wscntfy.exe
    c:\progra~1\mcafee.com\agent\McUpdate.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-26 09:50:53 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-26 08:50

    Pre-Run: 199,910,076,416 bytes free
    Post-Run: 200,014,491,648 bytes free

    - - End Of File - - C038066C10D749BC8C29AB41C9FC6E9E

    ---------------------------

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=53848ace982d1f40bf5e518ec9e446f3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-04-26 10:19:53
    # local_time=2010-04-26 11:19:53 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 77289987 77289987 0 0
    # compatibility_mode=5121 16777173 100 75 829794 4065082 0 0
    # compatibility_mode=8192 67108863 100 0 174 174 0 0
    # scanned=98920
    # found=0
    # cleaned=0
    # scan_time=4748
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I'd like to make a recommendation: when the McAfee security subscription comes due again, consider not renewing it and getting one of the free AV programs and firewalls. I am amazed at the number of entries for McAfee- of the 15 drivers/Services showing, 11 are for McAfee, 2 for Superantrispyware which will be removed, 1 for Seagate free agent, 1 for Google updater.

    There is also one entry that is causing a long discussion in the Logitech forum:
    c:\windows\TEMP\logishrd\LVPrcInj01.dll

    This is running from the temp folder. It shouldn't be. Combofix deleted it, but it's back. you can read about it HERE if you want.

    I would also consider taking the webcam off of startup'. You previously asked for information about the following:
    Access Startup using the msconfig utility:: Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab:
    [​IMG]

    If you need to expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line between Command and Location and move to the right to expand.

    This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted. You don't do anything on the other tabs. When through> Apply> OK

    NOTE: When you reboot the system the first time after making changes, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup to retain the changes.

    Re: NET Runtime: Updates are incremental:
    1. Update to Microsoft .NET Framework 3.0 Redistributable Package HERE:
    2. Then update to Microsoft .NET Framework 3.5 HERE

    Please rescan with HJT and paste a new log into your next reply.
  20. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Thanks for the advice re: McAfee. I was just going to ask you about which free AV programs you'd recommend. My McAfee subscription's ending in 10 days time. Perfect timing :)

    I'll read the post about the webcam when I have more time tonight.


    Here's the latest HJT log.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:38:44, on 26/04/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100416192619.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.hmv.co.uk
    O15 - Trusted Zone: http://*.hmv.com
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://uk.mcafee.com/Apps/WSC/en-gb/WscWlanScannerCtrl.cab
    O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - (no CLSID) - (no file)
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 11808 bytes
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Are you still using Skype? If not, reopen HJT and check this for removal:
    O18 - Protocol: skype4com - (no CLSID) - (no file)
    Then click on Fix Checked.

    If you are still using it, reinstall the software.

    Unless you have a special 'intra'net set up, I recommend you remove these from the Trusted Zone. Nothing needs to be in this zone. It has less security than the internet zone:
    O15 - Trusted Zone: http://*.hmv.co.uk
    O15 - Trusted Zone: http://*.hmv.com


    This is just a homepage set up through your ISP. And putting the * as a Wild Card, means anything in this Domain can access your system with lowered security:
    Control Panel> Internet Options> Security tab> Trusted Zone> Sites> delete both of these entries.

    Regarding AV: Both of the following programs are free and known to be good:
    Avira Free
    Avast Home

    To change AV programs: Download the new one first but don't install yet.
    1. Boot into Safe Mode and disconnect from the internet.
    2. Remove the current AV in Add/Remove Programs, then program folder using Windows Explorer.
    3. Double click to run the new AV.
    4. When installed, go back online and update new AV.[/list

      Please give me recap of system. are original problems resolved? Are there any problems from malware still present?
  22. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    Hi Bobbye

    So far, (touch wood) the pc seems to be running ok. I haven't had any unwanted pop-up error boxes or anything weird happening to the pc. Will sort out the AV programmes when McAfee runs out.

    I've removed the above entries and here's the updated HJT log.

    I'm going to make another separate post tomorrow re: hubby's laptop as McAfee seems to have picked up a virus (or something) in winlogon.exe file.




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:38:45, on 27/04/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100427192038.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://p.playfirst.com/play/game/cookingdash/CookingDashWeb.1.0.0.9.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://uk.mcafee.com/Apps/WSC/en-gb/WscWlanScannerCtrl.cab
    O16 - DPF: {A1F35586-A5A8-4D37-947A-81875350B11F} (Bonusprint Image Uploader Version 4.5 Control) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader4.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
    O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype4com - (no CLSID) - (no file)
    O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 11697 bytes
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay Hijackthis looks fine except for the missing Skype entry I addressed previously.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Didn't we work on the other computer recently?

    Let me know if you need more help
  24. mummyal

    mummyal Newcomer, in training Topic Starter Posts: 93

    All done :grinthumb Thank you so much for all your help.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome. Glad to help! Will work on the other system a bit later.

    Please follow these simple steps to keep your computer clean and secure:

    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.