Jump to content


Photo

Unable to open programs... latent infection?


  • This topic is locked This topic is locked
50 replies to this topic

#1 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 April 2006 - 11:12 AM

Hi to all you wonderful volunteers! :wave:

This would be my second topic posted in the forum. Have another posted a coupled a days ago in another forum because it's definitely an infection which I cannot get rid off, and it's on another PC.

The problem I have is with my laptop. It's a Dell Inspiron 510m, with Windows XP SP2. It used to be infected with a host of things, all bar one have been eliminated (thank the stars!).

I use the following anti-virus, anti-spyware, and firewall apps, all updated to the latest versions with the latest definitions:

1. ZoneAlarm Free
2. AVG Free
3. SpywareBlaster
4. SpywareGuard
5. Ad-Aware SE Personal
6. Spybot S&D
7. Windows Defender
8. Spyware Doctor Free (just for scanning purposes to pick up anything the rest could have missed).

The laptop is now mostly clean. However, I keep getting an internet explorer script message whenever I try to open up HP Director (a wizard for printing, scanning, faxing, updating, etc for my HP all-in-one printer), and HP Director would now refuse to open. It used to be working fine before the cleaning session done with the above apps. I even tried a system restore to no avail. :weep:

HP support has not been able to solve my problem, and there is no documentation on this problem with Microsoft. Have googled this particular problem, and found a similar entry at the Firefox forum. But, they sound stumped (they figure either HP support or Microsoft support would have a solution, but alas...). :wtf:

Here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:23:47 AM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\HP\Digital Imaging\bin\hpqdirec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785145066
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Previously, I was using Norton Internet Security & Anti-virus exclusively. What a mistake that was! Infections bypassed the Norton security measures, firewall, and resident anti-virus like they didn't exist! Not to mention it slowed down my laptop tremendously! But, have disabled Norton, and cleaned the laptop using the abovementioned apps. There is only one infection left (I hope!), which unfortunately has taken up residence in the system restore files. The above apps couldn't find it, but a Kaspersky scan found it.

Here is the log of my latest Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 01, 2006 6:57:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 1/04/2006
Kaspersky Anti-Virus database records: 185452
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78443
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:06:07

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP412\A0104834.scr Infected: Email-Worm.Win32.Bagle.g skipped

Scan process completed.


Questions:

1. Could this infection be causing the non-operatiional status of my HP Director wizard?
2. If it is, what can I do next? I don't know how to disinfect a worm that seems to be resident in the laptop's system restore files.
3. If the infection is not causing my HP Director problem, then what is causing this freakish breakdown?

Have tried uninstalling and reinstalling my HP software, to no avail. Have done it a few times, even in safe mode, with all anti-virus and anti-spyware apps disabled. Have also checked "Disable script debugging" and unchecked "Display a notification about every script error" in the Advanced tab of Internet Options.

Would like to try to repair/reinstall Internet Explorer, but don't know how. Figure if it's just a corrupted IE file or something, then a reinstall would solve the problem. But, all the documentation about this at Microsoft is, quite frankly, very intimidating. Especially the part about losing data. Would like to avoid this if possible.

Oh, by the way, have done a chkdsk and sfc scan. Both turned up nothing. So, can't be a corrupted or damaged IE file, right?

Would appreciate all the help and advice you guys can offer me. I'm really grateful for your time and effort.

Much thanks in advance!

Best regards to all!! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#2 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 03 April 2006 - 03:25 AM

Hi y'all,

Forgot that you may need the details of the particular script error message. There are two:

1. Line : 289
Char : 7
Error : Object required
Code : 0
URL : file://C:\Program Files\HP\Digital Imaging\bbfe\director\director3htm

Answering "Yes" or "No" to the query, "Do you want to continue running scripts on this page?" makes no difference as the 2nd script error message would occur again:

2. Line : 36
Char : 2
Error : Object doesn't support this property or method
Code : 0
URL : file://C:\Program Files\HP\Digital Imaging\bbfe\director\director3htm

Once again, answering "Yes" or "No" to the query, "Do you want to continue running scripts on this page?" makes no difference as HP Director will now fail to execute.

Hope someone can figure this out. Really appreciate your time.

Have a good one...
not-so-brilliant
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#3 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 06 April 2006 - 09:59 PM

Hi notsobrilliant,

In order to delete that infection in the system restore files, you need to flush all system restore points so that the infection doesn’t restore itself when you turn your computer back on. You just need to do the following:

How to turn off System Restore:
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.

Now let's turn on your System Restore again.

How to turn on System Restore:
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.


Your system will create a system restore point when you turn it back on, but if you like, you can also create a restore point manually right away as follows:

1. Go to Start/All Programs/Accessories/System Tools/System Restore
2. Press Create a restore point and press Next.
3. In the Restore point description box, type a descriptive name to append to the date and time.
4. Press Create.

If after this if you still have the problem, we can try something else, but first post a fresh HJT log for me to see if it’s clean.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#4 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 April 2006 - 10:41 AM

Hi iguagaby! :wave:

Thanks for your quick reply, and apologies for my tardy reply. :)

I know that you are volunteering your precious time, and I'm most grateful for it.

Have done as you instructed. Have also done a complete scan with the following apps (hope you don't mind, although it wasn't in your instructions to do so...):
  • AVG Free - nothing
  • Ad-Aware SE Personal - nada
  • Windows Live Safety Center - zilch
Yeh! It appears that we have managed to clean up everything.


Here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:11 AM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785145066
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Questions:
  • I have disabled the realtime scan and firewall of Norton Security since I installed AVG Free and ZoneAlarm. Can I uninstall Norton since I've not renewed its subscription?
  • I know that you are all expert volunteers when it comes to spyware and virus infections. Would I be taking too much of your time with my IE script error? I would feel really guilty since your time could be better spent helping another member with their spyware and/or virus infections.
  • If your time could be better spent helping another forum member with their spyware/virus infections, perhaps you could re-direct me to another public forum or website where I could get assistance with my IE script error problem? No hard feelings if that's what you think I should do. :D

And yes, although my laptop now seems to be clean of spyware/virus infections, the IE script error with my HP Director wizard and its stubborn refusal to load still persists. :wtf:

Thank you once again for you precious time, iguagaby! Really do appreciate it.

Have a good one! :wave:
notsobrilliant
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#5 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 08 April 2006 - 12:26 AM

Hi notsobrilliant,

Having two antivirus as well as two firewalls in your system is definitely not a good idea because they can create conflicts. I suggest choosing one, and totally uninstall the other one, especially since you are not going to renewed Norton’s subscription. I hope you have Windows Firewall turn off. As for the time spending helping you, it is not a problem at all.

I suggest touninstall all software related to your HP. I have a feeling the malware is responsible for its malfunction, but a clean uninstall and reinstall should help the problem.

Open HJT and make sure all browsers and windows are closed except for hijackthis and click "Do a system scan only" and put a check next to the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

If the domain is not from your ISP or company network, have HJT fix the following 017 entries. They look suspicious to me, but you decide.

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5


Then click Fix Checked.

After that, reboot normally. Please report back
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#6 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 April 2006 - 03:05 AM

Hiya iguagaby, :wave:

Sorry for the tardiness of this reply. Been a bit tied up lately, not to mention trying to catch up on all the reading in Boot Camp. ^_^

Have done as you instructed. Firstly, have uninstalled Norton Security & Anti-virus as the subscription has already expired (although I had earlier turned off its realtime scanning and firewall features after installing AVG Free and ZoneAlarm). Windows Firewall has also been turned off from day 1 since Norton came bundled with this laptop.


The following HJT entries were fixed:
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

If the domain is not from your ISP or company network, have HJT fix the following 017 entries. They look suspicious to me, but you decide.

O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5


Have verified that these are the DNS Servers of my ISP.


Have done a clean uninstall and re-install of the HP software that came with the all-in-one printer after cleaning the above HJT entries. The IE script error still persists. :wtf:

Any ideas where we should go from here?

Thanks again for your valuable time, iguagaby. Really do appreciate it.

Have a happy day! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#7 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 09 April 2006 - 11:12 AM

Hi notsobriliant,

There must be a way to solve this. Let’s keep trying.

What HP printer is it? Is it HP K60? You might have driver conflicts or missing drivers.

Did you upgrade to Windows XP 2 after cleaning your system of that malware or before? Upgrading to Windows XP 2 while infected would create problems too.

BTW, Keep up the reading at Boot Camp. The more malware fighters we have, the better.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#8 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 April 2006 - 09:52 PM

Hi iguagaby, :wave:

Thanks for your support and your precious time on this. Really do appreciate it! :D

What HP printer is it? Is it HP K60? You might have driver conflicts or missing drivers.

I use an HP OfficeJet 5510 all-in-one (printer, fax, scanner, & copier). It's about a year old. Never had any problems with HP Director (the printing wizard) before. My other laptop's HP Director is working just fine, although that one managed to escape infections as it is hardly used to surf the net. Same protection on that laptop now. :)

Did you upgrade to Windows XP 2 after cleaning your system of that malware or before? Upgrading to Windows XP 2 while infected would create problems too.

The laptop came bundled with Windows XP SP2. I also regularly check Windows Updates eventhough I have the autoupdate turned on. Also realized by reading the forums here that it is most unwise to upgrade to Windows XP SP2 when a computer's not fully cleaned of infections like you said. Wow, that was a revelation! Never knew that... :)

Have Googled this problem, and actually came up with a forum discussion about the exact same problem. You could take a look at it here. Although that thread died out without a resolution, it appears that this is not a new problem.

Have even followed HP Support's instructions on how to do a complete and clean uninstall. Took hours! And then reinstalled with all protection software turned off. Yet, the IE script error would re-occur, and HP Director would not execute. HP Support insists this is probably due to a corrupted/missing IE file, and not their software. Have done a chkdsk and sfc scan on the laptop. Turned up nothing. How do we know that HP Support is on the right track here, and not just giving me the runaround?

Btw, I can print from other apps like MS Word. But, without HP Director, I can't use the more extensive print/scan/copy/fax options available for my HP all-in-one. I can just do a basic print from a 3rd party app, do a basic copy from the machine, and do a basic fax from the machine.

Thanks for your kind words about Boot Camp, iguagaby! Lots to read. I figure if I do some intensive reading and re-reading, keep with up with a few live threads to see how you experts solve a problem, and practice what I've learned on some of the resolved logs, I should be ready to do a practice log or two in a few weeks. Then the hard part comes after that! :D

Thanks again for your time, iguagaby. I'm also most appreciative of your support about Boot Camp (can be intimidating and overwhelming!).

Have a good one!
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#9 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 09 April 2006 - 11:11 PM

Hello notsobriliant, :wave:

My pleasure to help!!!

Boot Camp can be overwhelming at times because there is a vast of information to absorbed, but it is very rewarding at the end. I hope you stay with it.

When you re-install the software, do you make sure you have your printer disconnected from your computer?

Just in case there is something still hiding in your system, let’s try to do an online scan here:

http://www.pandasoft.../activescan.htm

1. Once you are on the Panda site click the Scan your PC button
2. A new window will open...click the Check Now button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
10. When download is complete, click on Local Disks to start the scan
11. When the scan completes, if anything malicious is detected, click the See Report button; then Save Report and save it to a convenient location. Post the contents of the Panda scan report in your next reply

We’ll try something else, and I’ll get someone’s opinion on this as well if we have to.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#10 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 10 April 2006 - 11:53 PM

Hiya iguagaby, :wave:

When you re-install the software, do you make sure you have your printer disconnected from your computer?

Yup, when I re-installed the software the printer was disconnected from the laptop. During re-install, the wizard would prompt to connect to the printer.

Just in case there is something still hiding in your system, let’s try to do an online scan here:

Good idea! Have done the scan, and here's the log:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Leslie Quah\My Documents\My Downloads\l2mfix.exe[Process.exe]

Guess that would be the l2mfix I donwloaded to fix a particularly tough Look2Me variant in my work PC. Was helped out by Martijnc on that one. :)

This problem is becoming quite challenging.

And, yes, Boot Camp is getting less intimidating. Getting the hang of things now. A bit more studying, and I should be able to practice on some resolved and/or live logs, and then get my hands dirty on the practice logs. And, you bet I'll stay with it to the very end! Wouldn't want to dissappoint you and the other good people here! :D

Thanks again for your help, iguagaby!

Have a good one!
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#11 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 11 April 2006 - 12:12 AM

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Leslie Quah\My Documents\My Downloads\l2mfix.exe[Process.exe]


That wont do you any harm, but you don't neet it anymore, so you might as well get rid of it.

A bit more studying, and I should be able to practice on some resolved and/or live logs, and then get my hands dirty on the practice logs. And, you bet I'll stay with it to the very end! Wouldn't want to dissappoint you and the other good people here! :D

that is music to my ears (my eyes)!!! :p

I was just about to go to bed. Let me do some thinking on this one. I'll get back to you as soon as I can.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#12 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 11 April 2006 - 03:23 AM

Thanks a bunch for sticking with me through this, iguagaby! Really do appreciate it! :D

Do have a good night's sleep. Let me know if you or some of the other experts come up with something.

Have a good one! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#13 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 11 April 2006 - 10:02 PM

Ok notsobrlilliant,

Let's do some searching. Using windows explorer find the following:

In the …\C:\Program Files\HP\Digital Imaging\bbfe\director, search for an activeXControls folder and see if you can find a .dll file related to HP director. I have a feeling that we might have to register a .dll file in order for you to correct that error. Let me know what you find. Do not delete anything. please.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#14 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 12 April 2006 - 02:07 AM

Hiya iguagaby, :wave:

Have done the search as you requested. No ActiveX Control folders to be found. Only a few html docs, one folder named "js" with some script files, and another folder "loc" with some text files. Also, no hidden folders or files to be found.

Tried to paste a screen capture of the above in this post for your perusal, but don't know how to do it. Amateur that I am! :D

Also tried to paste a screen capture of all the ActiveX Controls installed in my laptop, but same result as above. Nonetheless, there is an "unknown" ActiveX Control which I believe to be HP related, but in what way I can't tell. The details are as follows:
Sorry I couldn't be more helpful. :blush:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#15 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 12 April 2006 - 09:31 AM

Sorry I couldn't be more helpful. :blush:

No worries!! :thumbsup: We can still work with this info. At the moment, I'm at work, but I have a few minutes yet before I start. It's going to be a long day. Wednesdays are usually like that. I'll check on this later in more detail.

Take care and keep smiling!!! :p
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#16 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 12 April 2006 - 08:45 PM

Hi iguagaby, :wave:

Thank you for your kinds words of encouragement! Really grateful for them! Will keep my chin up and keep smiling. Yes! :D

Looking forward to hearing from you again soon.

Have a good one! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#17 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 12 April 2006 - 10:33 PM

[*]C:\WINDOWS\DOWNL...\LOGINFO.DLL

Is the following the full path of that file?

C:WINDOWS\DownloadedProgramFiles\logInfo.dll

That is the only one thing that I'm suspicious of because of the file name.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#18 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 13 April 2006 - 10:15 AM

Tried to find the file to confirm the full path of the file. Unable to find the file. Initially used Windows Exporer to try to find it, but no success.

Then tried using the SEARCH option in the START menu. Full search, with advanced options for hidden folders and files enabled, turned up nothing as well.

Don't know which is more troubling... That the file doesn't exist, or if it did exist. :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#19 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 13 April 2006 - 12:09 PM

Don't know which is more troubling... That the file doesn't exist, or if it did exist. :)

Interesting!!!! :scratchhead:

Could you please run HJT in both safe mode and normal mode to see if something else shows there. Make sure to set the system to show all files and folders. Post both for me to see.

I’m at work at the moment having my coffee break; I won’t be home until sometime in the evening. A busy day again, but that is nothing new. I’ll check on you as soon as I get home.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#20 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 13 April 2006 - 11:29 PM

Have done as you instructed. Have enabled the system, in both Normal Mode and Safe Mode, to show all files and folders before scanning with HJT.
  • Enabled "Show hidden files and folders"
  • Disabled "Hide extensions for known file types"
  • Disabled "Hide protected operating system files (Recommended)"
Now here's the weird thing. I have two user profiles with administrator priviledges on this laptop, my own and my wife's. When I booted into Safe Mode, it would only allow me to either use the default Administrator profile or my wife's. My own user profile is not shown as an option in Safe Mode.

So, booted Safe Mode using the default Administrator profile, and subsequently did a scan with HJT. Hope that doesn't screw up the scan or anything.


HJT log in Normal Mode:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:56 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785145066
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



HJT log in Safe Mode:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:43, on 14/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785145066
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.136,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Been also trying to research and read up as much as possible on the reasons for IE script errors. Don't want you to think that I'm just sitting on my hands and not doing my fair bit. The going is slow though, considering my computer knowledge is probably somewhere between high-level novice to low-level intermediate at best. :p

Was wondering if the IE script error could be caused by multiple Java apps? I noticed that I have the following listed in my "Add or Remove Programs" window:
  • J2SE Runtime Environment 5.0 Update 6
  • Java 2 Runtime Environment, SE v1.4.2_03
Haven't gone through the HJT logs on my own just yet. Will get to it right away after I post this.

Thanks again for sticking with me on this, iguagaby. Most, most grateful! :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#21 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 14 April 2006 - 01:25 AM

Was wondering if the IE script error could be caused by multiple Java apps? I noticed that I have the following listed in my "Add or Remove Programs" window:

  • J2SE Runtime Environment 5.0 Update 6
  • Java 2 Runtime Environment, SE v1.4.2_03

Those should be fine.

Again, nothing in those logs.

Ok, when you got rid of L2me infection, did you clean both profiles? Maybe one profile is still infected. That could happen sometimes.

Since you uninstall Symantec, it would be a good idea to get rid of anything else related to it. Let’s get Regseeker to clean it for us.

OK, this is what I would like you to do, please. Go here and download RegSeeker:

http://www.majorgeek...wnload2579.html

The download link is just bellow the “Download from” you see in that page.

Extract all the files into a folder of its own and safe it in your document.
Then open the folder and click “RegSeeker” to open the program.

The program will show you many options.

Below the name “RegSeeker” click “Find in Registry.”
In the “Search for” window type symantec.
Click “Search”. It should find all files related to it.

Once it finds them, click “Select all” and then delete. Reboot after.

If you want, try to see if you can find the previous file we wanted.

Can you please also go here to see if you need to update any drivers you might have missing.

http://h10025.www1.h...55&lang=en&y=6

Take care!! I’ll check on you tomorrow.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#22 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 16 April 2006 - 11:09 PM

Hi iguagaby, :wave:

Happy Easter!!

Ok, when you got rid of L2me infection, did you clean both profiles? Maybe one profile is still infected. That could happen sometimes.

The L2M infection was on my personal assistant's PC. I downloaded l2mfix onto my laptop at that time because I was at home. I then uploaded l2mfix into the PC, and ran it as instructed by Martijnc. It cleaned things up pretty nicely. :) And, oh, that PC does have multiple profiles. I will run HJT and check for any leftover L2M infections that l2mfix didn't catch.

Hmm, wonder why on my laptop Safe Mode doesn’t show my user profile? :scratchhead:

I've done as you instructed with RegSeeker. No problems.



If you want, try to see if you can find the previous file we wanted.

I still coudn't find it. The “DownloadedProgramFiles” folder would only list out the installed ActiveX Controls that are present in the laptop. However, using the SEARCH option in the START menu, with search in hidden files and folders enabled, turned up a few registry entries. The ones in blue are the ones I did with RegEdit:
  • REGBACKUP in C:\Documents and Settings\Leslie Quah\Desktop
  • REGBACKUP_20060324 in C:\Documents and Settings\Leslie Quah\Desktop
  • REGBACKUP_20060324_A in C:\Documents and Settings\Leslie Quah\Desktop
  • regLocal in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups
  • RegDPFGlobal in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots
Strange that these didn’t turn up in any of the previous searches I did. :scratchhead:



Can you please also go here to see if you need to update any drivers you might have missing?


Yup, I have downloaded and installed the latest drivers. Took me a few tries because the driver file was so BIG!! :) Finally managed to download it on Sunday, after 6 ˝ hours!!

The IE script errors still occur though, and HP Director stubbornly refuses to run.

The IE script errors have changed (or at least the Line and Char numbers have):
  • Internet Explorer Script Error
    An error has occurred in the script of this page.
    Line: 314
    Char: 7
    Error: Object required
    Code: 0
    URL: file://C:\Program Files\HP\Digital Imaging\bbfe\director\director3.htm

  • Internet Explorer Script Error
    An error has occurred in the script of this page.
    Line: 39
    Char: 2
    Error: Object doesn’t support this property or method
    Code: 0
    URL: file://C:\Program Files\HP\Digital Imaging\bbfe\director\director3.htm

Item #1 will occur when I try to run HP Director. Clicking “YES” or “NO” to the question “Do you want to continue running scripts in this page?” makes no difference, as item #2 will then pop up. Clicking “YES” or “NO” has no effect. Then HP Director will not load or run.

You take care, too!! Have a good one!! :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#23 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 18 April 2006 - 12:12 AM

Happy Easter!!

Thank you!!! I had a happy Easter. I hope yours was a happy one as well.

Hmm, wonder why on my laptop Safe Mode doesn’t show my user profile? :scratchhead:

That is very puzzling. It could have something to do with our mystery files too.

  • REGBACKUP in C:\Documents and Settings\Leslie Quah\Desktop
  • REGBACKUP_20060324 in C:\Documents and Settings\Leslie Quah\Desktop
  • REGBACKUP_20060324_A in C:\Documents and Settings\Leslie Quah\Desktop
  • regLocal in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups
  • RegDPFGlobal in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots
Strange that these didn’t turn up in any of the previous searches I did. :scratchhead:

Can you please check what kind of backups they are. We can delete them with RegSeeker if you don’t need them anymore.


The IE script errors still occur though, and HP Director stubbornly refuses to run.

This is quite a challenge so far, but I have more ideas yet.

Let’s see if the following finds anything for us. Please download, install, update and scan your system with free trial version of Ewido trojan scanner here: http://www.ewido.net/en/download/
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so just give it time.
5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

If you don’t have Crap cleaner yet, please download it. You can get it here:

http://www.filehippo...d_ccleaner.html

Install it
Open it
Under “options/advanced” uncheck “Only delete files in Windows temp folders older than 48 hours.”
Click Cleaner/Run cleaner. Let it clean everything it finds.

Then please go here and download this windows update if you don’t have it yet.

http://www.microsoft...n/ms05-054.mspx

Please let me know how things are running and post another HJT log.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#24 Rob499

Rob499

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 19 April 2006 - 01:39 AM

Excuse me butting in, but I'm getting the same problem with my copy of HP Director. I'm running Windows 98SE, kept updated from the MS web site, but in my case Director is used in conjunction with an HP Scanjet 4070 scanner.

I run Norton AV software (kept updated) and have run a full scan of my computer - nothing reported.

I don't have a spyware package - I tried one a month or so back, but it damaged performance so badly that I had to uninstall it.

I have a firewall on my router, so I don't run one on the PC. I had problems with ZoneAlarm blocking my bank's site about three years ago, so I unloaded it and bought the firewall router and haven't looked back since.

I've tried uninstalling and reinstalling the HP software. No improvement.

I've tried reinstalling IE6 from the MS web site, without uninstalling first. No improvement.

The HP web site suggests uninstalling any software that you've installed since the last time HP Director ran successfully - but I can't recall installing any.

I have no reason to think that I've caught any infections, other than this malfunction - which could easily be something else.

But at least you have two machines you can work with now!

I look forward to your comments.

Regards,
Rob499.

#25 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 19 April 2006 - 04:41 AM

Hiya iguagaby!! :wave:

First of all, please let me thank you from the bottom of my heart for your patience with this. I am most glad and grateful for your help. I can’t thank you enough!! :)

And, oh, Easter was good!! :)

Guess what? The HP Director problem seems to have resolved itself from an unexpected source. I just bought a new HP OfficeJet 5610 to use in my office, and I downloaded the software/driver that came with it. It overwrote the old software, and it has an updated all-in-one wizard called HP Solution Center, which is just a jazzed up version of HP Director. And it works just fine!! :)

The problem is obviously with HP’s old software and/or drivers (including the updated ones), and not Internet Explorer. I figure they just couldn’t be bothered to patch it up. Ha! :)

Maybe as time went by HP forgot to keep track of all the security updates for Windows and Internet Explorer? And because I regularly update Windows and Internet Explorer, something just didn’t click with the older HP software/drivers? Of course, that doesn’t explain why HP Director in my wife’s laptop is working just fine with the same updates. :scratchhead:

HP’s enclosed literature states that the new software and drivers should work with my older HP OfficeJet 5510 as well. I will test that premise ASAP.

Wow, if anyone else encounters this problem in the forums, at least we have a solution! Of sorts… :p


Can you please check what kind of backups they are. We can delete them with RegSeeker if you don’t need them anymore.

The first three in the list were backups of the entire registry that I did with the “REGEDIT” command in the “RUN” window prior to when I first started cleaning out my laptop from the various minor infections with AVG Free Edition, Ad-Aware SE Personal, and Spybot S&D.

Everything seems to be running fine since then, bar the HP Director thingie (and now the Safe Mode thingie). Should I just delete the registry backups from the Desktop? Or use RegSeeker to do that?


  • Let’s see if the following finds anything for us. Please download, install, update and scan your system with free trial version of Ewido trojan scanner here:
  • If you don’t have Crap cleaner yet, please download it.
  • Then please go here and download this windows update if you don’t have it yet.

Have done as you instructed. Ewido didn’t find anything. Have posted the log below.

Have used CrapCleaner to clean my laptop. No problems.

Yup, already have that particular Windows update.

The laptop is running pretty ok, other than the mysterious files which could be the reason I can’t log on using my own profile in Safe Mode. :scratchhead:


Ewido log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:02:15 PM, 4/19/2006
+ Report-Checksum: E400B05D

+ Scan result:

No infected objects found.

::Report End


HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 6:28:23 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.l...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126785145066
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B71F2E0-B93F-410D-814E-964CD246E2C5}: NameServer = 202.188.0.136,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC7C753-04EF-43FD-90A2-AA061502A858}: NameServer = 202.188.0.133,202.188.0.132
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SNDSrvc - Silicon Integrated Systems Corporation - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Well, it looks like the HP Director problem can be fixed. Sort of. But, it's definitely not a very practical solution. How would Rob499 solve his problem (see above post)? :p

Now if only the Safe Mode thingie can be solved as easily... :whistle:

Thanks again for sticking with me on this. Really do appreciate your patience.

Have a good one, and take care!!
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#26 Rob499

Rob499

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 19 April 2006 - 08:09 AM

As it happens, I've cured my problem too. The story...

I still had a copy of Spy Doctor on the computer, which no longer runs at start up because of the performance issues that I mentioned earlier. I used the Smart Update facility to get the latest signatures, after which Win98 failed to boot, failing on loading esdi_506.pdr. I've had this before, but I managed to run Spy Doctor in Safe Mode, where it reported an IE add in, related to a paticular product. Something like Kabara (?). I do remember that it was adware related, but I can't tell you which program exactly, for reasons that will become obvious, but I allowed Spy Doctor to remove it.

I copied esdi_506.pdr from another computer, but that didn't fix the problem. As I said, I've had this problem with Spy Doctor before, so I uninstalled it in frustration. Which, of course, destroyed the logs of what it had found...

I reinstalled Win98 from the CD-ROM. During the reboot cycle it found a fault with the registry, so it restored an old version.

Finally Win98 ran. And when I tried HP Director, it worked.

Was the HP Director problem due to the add-in that Spy Doctor removed?
Was it a problem with Win98 that the reinstall put right?
Was it a problem with the registry?

I don't know. Sorry!

But having Googled for a solution and found about 6 others with the same problem and no solution, suddenly there are two solutions posted within hours of each other!! Just like a number 45 bus, wait for hours and then two come along at once!

Thanks for being there - I've read some of the help that's been offered to others, and your willingness to give of your time restores faith in humanity.

Regards,
Rob499

PS Any recommendation on a decent package to use instead of Spy Doctor, that won't corrupt Win98 or slug system performance too much?

PPS Any thoughts on sorting global warming? :o)

#27 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 20 April 2006 - 12:45 AM

First of all, please let me thank you from the bottom of my heart for your patience with this. I am most glad and grateful for your help. I can’t thank you enough!! :)

Not a problem at all!!! :p

Guess what? The HP Director problem seems to have resolved itself from an unexpected source. I just bought a new HP OfficeJet 5610 to use in my office, and I downloaded the software/driver that came with it. It overwrote the old software, and it has an updated all-in-one wizard called HP Solution Center,

Actually the OfficeJet idea was in my mind just before you found that mystery file that send me on a goose chase. I wanted to make sure it wasn’t malware related before trying that. That’s why I had you try Ewido to see if it would come clean. Anyway, I’m happy director problem is gone now.

Of course, that doesn’t explain why HP Director in my wife’s laptop is working just fine with the same updates. :scratchhead:

That is definitely puzzling!!!

Everything seems to be running fine since then, bar the HP Director thingie (and now the Safe Mode thingie). Should I just delete the registry backups from the Desktop? Or use RegSeeker to do that?

From the Desktop should be fine. You can also use RegSeeker to clean the registry and get it to delete any red entry that show. If you see any old files that you are one hundred per cent sure they belong to programs you no longer have in you system, you can delete those also.

Now if only the Safe Mode thingie can be solved as easily... :whistle:

We’ll keep working on this.

Let’s get rid of a few things in your log, but first do the following:

Disable SpywareGuard:

You have SpywareGuard installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Right click the running icon ofSpywareGuard, it will open the program.
  • Then go to Menu, file, exit.
  • Then confirm the program is closed.
After all of the fixes are complete it is very important that you enable SpywareGuard again.

Disable Ewido:

Please disable Ewido, as it may interfere with the fix.

From the system tray:
  • Right-click the system tray icon and uncheck real time protection.

    or From within Ewido -
  • Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
You can re-enable Ewido right after rebooting.

Open HJT and make sure all browsers and windows are closed except for hijackthis and click "Do a system scan only" and put a check next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)

Since you have this 04 entry disabled anyway, you can fix it too.

O4 - Startup: Webshots.lnk.disabled

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} –
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -

O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: SNDSrvc - Silicon Integrated Systems Corporation - (no file)

Then click Fix Checked.

After that, reboot normally and reset your home page manually.

Then if you still can’t use the safe mode, please do the following:

1. Open HJT
2. Click “Open The Misc Tools Section”
3. Click “Open Uninstall Manager…”
4. Click “Safe List…”
5. Notepad will open up with a text. Copy and paste that text in your next reply.

Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#28 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 21 April 2006 - 03:48 AM

Hiya iguagaby!! :wave:

Actually the OfficeJet idea was in my mind just before you found that mystery file that send me on a goose chase. I wanted to make sure it wasn’t malware related before trying that. That’s why I had you try Ewido to see if it would come clean. Anyway, I’m happy director problem is gone now.

Sorry about sending you on that goose chase… Hope we’re not doing the hunt in vain! :D

Yes, I’m also glad that the HP Director problem is behind us now. Also glad to know you had a solution up your sleeve before the goose chase sidetracked us. :)

And, yes, the new HP Solution Center works just fine with both my new and older OfficeJet models. :D

Have done the housekeeping you suggested about the entries in my HJT log. No problems encountered. Just a question about this entry (it’s not on your list, but I’ve been trying to fix it to no avail):

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime

This puts the QuickTime icon in the system tray at startup. I would be able to fix it with HJT, albeit temporarily, but whenever I open a QuickTime file it would reappear. Would you happen to have any ideas on how to fix this entry permanently? Short of uninstalling QuickTime? :scratchhead:

I still can’t access my user profile during startup into Safe Mode. I can startup into Safe Mode using the default Administrator or my wife’s profile. Hmm, just a thought… could this be caused by the fact that the icons and everything else is ballooned up to a large size and there just isn’t enough space to show my user profile? I can still choose the default Administrator profile or my wife’s profile. Just can’t see my own profile. Maybe it’s just hidden? Don’t wanna go on a wild goose chase on this one. Ha! Just a thought… :whistle:


HJT Uninstall List

Ad-Aware SE Personal
Adobe Acrobat 5.0
Advanced WindowsCare
AIA e-Agent Mobile 3.0.0
ALPS Touch Pad Driver
AVG Free Edition
CCleaner (remove only)
Conexant D480 MDC V.9x Modem
Dell Media Experience
Digital Line Detect
Diner Dash (remove only)
Dragon NaturallySpeaking Components
ewido anti-malware
FileSpecs plug-in for Ad-Aware SE
GdiplusUpgrade
HijackThis 1.99.1
HJTHotkey 3.054
Hotfix for Windows XP (KB896344)
HP Extended Capabilities 5.3
HP Image Zone 4.2
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Investment Link System Ver 1.30
Investment Link System Ver 1.30A
Investment Link System Ver1.34
Investment Link System Ver1.35
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky On-line Scanner
Lavasoft VX2 Cleaner
LSP Explorer plug-in for Ad-Aware SE
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft Works 7.0
Modem Helper
Money Laundering Prevention Course (CDROM 1.0) (Full Install)
MSN
NetWaiting
overland
Panda ActiveScan
PowerDVD 5.1
QuickSet
QuickTime
Sales Illustration System Ver 1.31
Sales Illustration System Ver 1.31W
Sales Illustration System Ver1.31_V2
Sales Illustration System Ver1.32
Sales Illustration System Ver1.33
Sales Illustration System-SIS_EC(09/2004)
SD Viewer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Skype 1.3
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony Digital Voice Editor 2
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Star Trek Armada II DEMO
Star Trek Bridge Commander Demo
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
VobSub v2.23 (Remove Only)
Voice Studio
WebCyberCoach 3.2 Dell
Webshots Desktop
WinASO Registry Optimizer 2.51
WinASO Registry Optimizer 2.53
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Safety scanner
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Anti-Spy
Yahoo! Toolbar
ZoneAlarm



Silent Runners Log

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"PRONoMgr.exe" = "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" ["Intel® Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"PCMService" = ""C:\Program Files\Dell\Media Experience\PCMService.exe"" ["CyberLink Corp."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"DXDllRegExe" = "C:\WINDOWS\system32\dxdllreg.exe" [file not found]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\Quickset.exe" [empty string]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {HKLM...CLSID} = "Sony Digital Voice File Shell Extention Module"
\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
INFECTION WARNING! Sebring\DLLName = "C:\WINDOWS\system32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Leslie Quah\Application Data\Webshots\The Webshots Desktop\Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\PROGRA~1\Webshots\webshots.scr" ["Webshots.com"]


Startup items in "Leslie Quah" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Leslie Quah\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]
"WebReg officejet 5500 series" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe "officejet 5500 series"" ["Hewlett-Packard Co."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
RegSrvc, RegSrvc, "C:\WINDOWS\system32\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\system32\S24EvMon.exe" ["Intel Corporation "]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
hpzsnt12\Driver = "hpzsnt12.dll" ["HP"]
PDF Port\Driver = "C:\WINDOWS\system32\pdfports.dll" ["Adobe Systems Incorporated."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 34 seconds, including 18 seconds for message boxes)



Much, much, much appreciate your time and patience on this!

Have a good one, and take care!! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#29 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 22 April 2006 - 12:18 AM

Hi notsobrilliant!! :wave:

You have quite a collection there!!

Because you have both, the old version of Java as well as the new one, I would suggest you uninstall both of them and reinstall 06 again, if you really need it, to avoid possible conflicts.

When the install is finished just delete the Java Icon on the desktop. You can also delete the one in your start menu>programs. They are only shortcuts.

Then go to your control panel and open Java>Update Tab and uncheck the auto update check box. You can always manually check for updates.

Java 2 Runtime Environment, SE v1.4.2_03
J2SE Runtime Environment 5.0 Update 6


Unless you have a special reason to keep the following programs, they can be safely removed from the Add/Remove program. They don’t have a good reputation

WebCyberCoach 3.2 Dell
WinASO Registry Optimizer 2.51
Sonic Update Manager
Yahoo! Anti-Spy


More info on Yahoo! Anti-Spy here:

http://www.dslreport...99574~mode=flat

I’m not too sure about the next one. Is it something you installed? I’m suspicious about that one.

Overland

If there is anything else that you have and don’t use much, I would uninstall it to give your system better performance. After you uninstall the programs you can use RegSeeker to get rid of any leftovers.


To disable Quicktime from Taskbar

"Right Click on Quicktime on Taskbar
Select "Quicktime Prefrences"
Select "Browser Plug in" from dropdown.
Unselect "Quicktime system Tray Icon"
Close
Reboot. If that doesn’t work, I have another idea.

Let me know how it goes. If we have to, you can make a back up of all your files in your profile and then delete that profile and create another one.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#30 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 24 April 2006 - 03:55 AM

Hiya iguagaby!! :wave:

Hope you had a great weekend!!

You have quite a collection there!!

:whistle: :whistle: :whistle: :whistle: :whistle: :whistle: :whistle:

A lot of it came bundled with the laptop. Some are company proprietary software that we use for our work. Others, I downloaded. Will uninstall what’s unnecessary as you suggested. :)

Because you have both, the old version of Java as well as the new one, I would suggest you uninstall both of them and reinstall 06 again, if you really need it, to avoid possible conflicts.

Done!


Unless you have a special reason to keep the following programs, they can be safely removed from the Add/Remove program. They don’t have a good reputation

Done! And thanks for the tip about Yahoo! Anti-Spy. :)

Err, is there a website you can suggest where I can look up on the reputations of various programs?


I’m not too sure about the next one. Is it something you installed? I’m suspicious about that one.

Overland

After you mentioned it, I got suspicious as well since I’ve never installed anything by that name. I then searched for the files/folders with that name. Guess what? It’s in a separate folder, C:\Program Files\Overland\, but it’s apparently a HP module of some sort. Complete with an installer and a whole bunch of other files. It must be one of those things that HP installs without our knowledge. I remember my old HP software installer did the same thing, but with a different app and folder. It’s gone now. Probably got uninstalled as part of the new HP download.

The only article I could find at the HP website about the Overland module was this one. I have no idea what it does. Doing a Google search on the subject didn’t turn up much either. I assume it’s legit.


If there is anything else that you have and don’t use much, I would uninstall it to give your system better performance. After you uninstall the programs you can use RegSeeker to get rid of any leftovers.

Um, how should I use RegSeeker to get rid of any leftovers? A bit wary cleaning the registry when I really don’t know how. Sorry for the bother. :)


To disable QuickTime from Taskbar…

Worked like a charm! Thanks for the tip!! :)


Let me know how it goes. If we have to, you can make a back up of all your files in your profile and then delete that profile and create another one.

Everything is working fine so far. No problems with the laptop. I still can’t logon into Safe Mode with my profile. I guess we would have to do the back up like you suggested and create another profile. How should I go about that?

Thanks again for your time, patience, and support on this, iguagaby. You one of the good guys on this planet!!

Have a good one!! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#31 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 25 April 2006 - 01:10 AM

Hello again!!! :wave:

Yes, I had a good weekend. Thank you!! I have just became a volunteer soccer coach. I got to meet my player on Saturday for our first match. They have lots to learn yet.

To find all left overs of uninstalled programs, Open the RegSeeker folder and click “RegSeeker” to open the program.

The program will show you many options.

Below the name “RegSeeker” click “Find in Registry.”
Copy and paste name of the program you uninstalled in the “ Search for ” window.
Click “Search”.

Once it finds all files related to it, highlight the entries first. Then right click on them and choose delete. Do this for each program you uninstalled.

I'm glad you got rid od some of your unnecessary programs. Yes, unfortunately, many software comes bundled with all kinds of garbage, so it is better to do a clean install. That is what I always do.

I will check with other people on staff to see if they have any idea about the profile inability of using safe mode. I thought we could ask for other ideas before deleting the profile, although, that would be the easy way out. What would you rather do? If you decide to delete it, the following are the steps.


You must log in as an Administrator on the local computer to be able to delete a user profile. You cannot copy or delete a user profile that belongs to the currently logged on user or any user whose profile is in use. Deleting a profile will lose all the following:
desktop settings, favorites, program-specific data that is contained in the Application Data folder, and the contents of the My Documents folder. So you should make backups of any files that are important to you in the “ My Documents” folder.

To delete a profile:

Go to Start/Control Panel/System”
Click the “Advanced” tab,
Under User Profiles, click Settings.
Under “Profiles stored on this computer”, click the user profile you want to delete, and Then click “Delete.”

I'll get back to you about a site to check reputation of programs tomorrow. I need to go to sleep now. It's pass midnight here now.

Take care!!!
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#32 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 25 April 2006 - 10:19 PM

Hi notsobrilliant,

Well, I said I will give you the info about a site to check programs’ reputation. Here it is. You might have read the first two already. They are here in our very own SWI site. The third one is at SpywareWarrior site. The 4th one is at CastleCaps. But when you can’t find the name of the program you are trying to find info on, you can always Google it. I always try to find the reviews for that specific program to see what other people think of it. The more reviews you find, the easier it is to make up your own opinion about whether it is any good or not.

http://forums.spywar...showtopic=49084

http://www.spywarein...m/articles/p2p/

http://www.spywarewa...nti-spyware.htm

http://castlecops.com/reviews.html
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#33 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 April 2006 - 08:48 AM

Hiya iguagaby!! :wave: :wave: :wave:

You’re a volunteer soccer coach! Wow, what age group? From the looks of it, your players must be just starting out in the game. Great game, though. I hope you guys manage to catch the upcoming World Cup in Germany. The time difference should suit you guys better than us poor sobs over here. Most of the live matches would be around 2am-3am our local time! Ha! :D

Thanks for the tips and coaching on how to use RegSeeker properly!! And, you’re right… should just keep to clean installs like you do because of all the garbage out there. :)


I will check with other people on staff to see if they have any idea about the profile inability of using safe mode. I thought we could ask for other ideas before deleting the profile, although, that would be the easy way out. What would you rather do?

Let’s wait for the responses from the other people on staff, then. No rush here since it’s not that critical. Worse come to the worse, I could still do the backup and profile deletion procedure that you outlined. But, let’s see what the others have to say before we do that. :)


Thank you so very, very much for taking the trouble to find the websites about suspect programs for me!! Actually, I’ve already bookmarked the SWI ones. :) I kinda lost track of the Spyware Warrior site, although I do remember seeing it at one time or another while I was going through the various articles in Boot Camp. The CastleCops site is new to me. Thank you so much again for your trouble!! :)

I hope you and your players have a good soccer game this coming weekend!! Until the next time, take good care of yourself, too!!
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#34 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 26 April 2006 - 09:29 AM

Hiya iguagaby!! :wave: :wave: :wave:

You’re a volunteer soccer coach! Wow, what age group?

They're eleven year olds. One of the moms told me they didn't have a coach, and their team may fold because of it, so I decided to help out for the children sake. Most of them are pretty good physically, but they need to develop their thinking skills. There are three who are pretty weak, but they can improve also.

I hope you and your players have a good soccer game this coming weekend!! Until the next time, take good care of yourself, too!!

Thank you!!!

I will post about our problem and let you know.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#35 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 29 April 2006 - 01:07 PM

Hi notsobrilliant,

It must be a very unusual problem the one you have. I haven't got too many suggestion back yet. One of the experts thinks that WinASO Registry Optimizer 2.51 might have damaged you registry in that profile if it was used unwisely, and that could have coused the problem. Let’s try an internet repair and see if that helps. If that doesn’t help, then deletion of the profile has to be it. An internet repair requires that you have the windows xp cd. I hope you have it handy. This will take a while, so just give it time.

• From the Start menu, select Run.
• In the Open field, copy and paste sfc /scannow (Note: There is a space between sfc and /scannow if you decide to type it instead)
• Select the OK button.
• Follow the prompts throughout the System File Checker process.

Reboot the computer when System File Checker completes, and report back please.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#36 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 01 May 2006 - 11:20 PM

Hiya iguagaby, :wave: :wave: :wave:

Have done the sfc scan. Didn't turn up anything at all. Had my XP cd all ready and handy, but was never prompted by sfc scan to do anything. It just scanned, and closed by itself when it was all done. I assume all the protected files are all in their original versions and unaltered? :scratchhead:

So, we're down to creating a new profile and deleting the old one, then? :whistle:

Have a good one!!

p.s. I'm so glad that we're back online again!! Was feeling somewhat like a gypsy or orphan for a little while there... :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#37 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 02 May 2006 - 09:46 PM

So, we're down to creating a new profile and deleting the old one, then? :whistle:

Correct!! Just make sure you make a backup of all your importand files in that profile. You can safe that backup in a CD.

p.s. I'm so glad that we're back online again!! Was feeling somewhat like a gypsy or orphan for a little while there... :)

I missed all that excitement that evening because I retire early from computer land that night, but when I tried to log in the next morning, I was sadly surprised by not being able to. I took refuge at CastleCops in the meantime. I was feeling the same as you though. I’m extremely happy it didn’t last too long.

Let me know how things go with the new profile.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#38 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 04 May 2006 - 04:14 AM

Hiya iguagaby, :wave: :wave:

I'm sorry for the tardiness of my reply. I've been a bit busy lately. Not to mention what time I have at the forums has been spent trying to catch up on my knowledge at Boot Camp. :p

Found this at the Microsoft website:
http://support.micro...om/?kbid=811151

Could I follow the instructions as listed in the link above? The reason I ask is because I have about 4.5 GB of files in "My Documents" folder!! Lots of work files, client data, spreadsheets, video presentations, etc... :whistle: :whistle: :whistle:

Also, would be a shame to lose all the data for my desktop settings, favorites, program-specific data that is contained in the Application Data folder, etc. and have to reconfigure/reformat them again.

What do you suggest?

Have a good one!! :)
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#39 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 04 May 2006 - 10:46 PM

Found this at the Microsoft website:
http://support.micro...om/?kbid=811151

Could I follow the instructions as listed in the link above? The reason I ask is because I have about 4.5 GB of files in "My Documents" folder!! Lots of work files, client data, spreadsheets, video presentations, etc... :whistle: :whistle: :whistle:

Also, would be a shame to lose all the data for my desktop settings, favorites, program-specific data that is contained in the Application Data folder, etc. and have to reconfigure/reformat them again.

What do you suggest?

Unfortunately, that is entirely your choice. You need to decide if you rather have a corrupted profile with no safe mode and all your files as they are, or a new one with safe mode where you have to reconfigure everything again. I guess it would depend on which one you consider more important or less of a problem. If you decide to change it, you can follow those instructions in that link.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#40 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 10 May 2006 - 03:55 AM

Houston, we have a problem... :wtf: :ugh:

Now this is becoming really strange. I can't seem to create a new user profile that will show up in the Safe Mode startup window!! It doesn't matter if I try it using my current use profile, my wife's user profile, or the default Administrator user profile... none of it works!! I can only view the default Administrator or my wife's user profile in Safe Mode. :scratchhead:

Maybe we should soon be expecting my laptop to glow in the dark, float around, make sandwiches in the middle of the night, beget descendants... :techsupport:

Any ideas? This must be a first for all of us. I've never heard of this happening anywhere before, especially since we've already done a sfc scan.

Have a good one!! :D

p.s. Hope your soccer team is coming along just fine!!

Edited by notsobrilliant, 10 May 2006 - 11:59 PM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#41 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 10 May 2006 - 11:19 PM

Now that is definitely puzzling!!!! :scratchhead:

Let me ask around some more questions and see if someone can come up with something.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#42 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 11 May 2006 - 10:03 PM

Ok notsobrilliant,

p.s. Hope your soccer team is coming along just fine!!

Yes, the boys are coming along well. Four of them still need to learn to play as a team. They tend to hold on to the ball too long. Thanks for asking!!!

And now back to our topic. Here is an advice from one of our experts.

I think just backing up the profile (simply enough by logging in as a different admin user, renaming the profile folder to c:\documents and settings\<user>.old, rebooting and logging back in with the corrupted user should create a new profile and possibly fix the problem. From that point, it should be simple enough to copy back over data, favorites, configs, etc from the .old profile (just don't copy NTUSER.DAT!). You don't have to backup everything off-disk in this case....


Let me know how it goes.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#43 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 21 May 2006 - 03:35 AM

Hi iguagaby,

I have followed racooper's instructions. Unfortunately, that didn't do the trick. I still can't see my profile in the Safe Mode startup window. :scratchhead:

Another thing, whenever I log in with my new profile, notepad will always open with the following text:

DESKTOP
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787


How do I stop that from happening? Or is this an error message of some kind?

Have a good one!! :thumbsup:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#44 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 21 May 2006 - 10:57 AM

Ok, this is to fix the notepad problem, and we'll keep working on the safe mode one. I'll get back to you on that as soon as I can.

1. Start Windows Explorer.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. In the Advanced settings box, click to clear the Hide extensions for known file types check box and the Hide protected operating system files check box (if they are not already cleared), and then click OK.
4. Delete any occurrences of the Desktop.ini file that contains the lines described in the "Symptoms."
To do so:
a. Locate each of the following folders, right-click the Desktop.ini file (if the file exists in that folder), and then click Open:
• drive:\Documents and Settings\All Users\Start Menu\Programs\Startup
• drive:\Documents and Settings\All Users\Start Menu\Programs
• drive:\Documents and Settings\All Users\Start Menu
where drive is the drive on which Windows is installed.
b. Verify that the file contains the following lines:[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\ system32\shell32.dll,-21787
If the file contains these lines, right-click the file, click Delete, and then click Yes when you are prompted to confirm the deletion.

5. Restart your computer and verify that the issue is resolved. Report back please.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#45 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 29 May 2006 - 11:05 PM

Hi notsobrilliant!!! :wave:

How are things going? I still haven't heard of any other ideas about the user profile problem in safe mode. I was just wondering if you have tried to create a new user profile in safe mode. There is nothing to lose if you want to give it a try. If you do try, let me know if it works.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#46 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 30 May 2006 - 11:48 PM

I just got another idea from one of our modes.

I think the users are actually there in safemode he just can not see them because of the screen resolution. It is not unusual in XP to only be able to see administrator and the next user name alphabetically (I bet his user name is after his wifes alphabetically). If you have him down arrow or perhaps it is tab (I can not remember) you should be able to get to the other usernames.

It's worth to try.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#47 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 06 June 2006 - 11:21 PM

Hi notsobrilliant, :wave:

You either gave up, or you are too busy with Boot Camp.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#48 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 June 2006 - 02:48 AM

Hi iguagaby,

Sorry!! Sorry!! Sorry!! Sorry!! Sorry!! :blink: :blink: :blink:

I had this topic subscribed, but for some reason or other, I didn't get any email notification on this (or any other reply).

I haven't given up, and I've not been too busy at Boot Camp either. I'm currently finishing up on my last practice log (Avohir's one), and if everything goes well, I should be posting in "Check my post please" soon. :p

I will give your suggestions a try, and post back a report ASAP.

Thanks for your time and patience on this. I really appreciate it!! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#49 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 07 June 2006 - 03:14 AM

Hi iguagaby, :wave:

Good news!! Everything seems to be ok!! (Appropriate apologies in the previous post above...)

The offending Desktop.ini file was successfully deleted. No annoying notepad window showing up at bootup anymore. Thanks for the directions!! :thumbsup:

Aczechgurl hit the nail on the head. Using the arrow keys, I was able to scroll down and see my profile at the Safe Mode startup window. Problem solved!!

Thanks again for your time and patience in helping out a noob like me, iguagaby. I really do appreciate all the help you've given me. Looking forward to working with you (and everyone else here) when I progress further in Boot Camp.

Take care!! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#50 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 07 June 2006 - 10:24 PM

Sorry!! Sorry!! Sorry!! Sorry!! Sorry!! :blink: :blink: :blink:

I had this topic subscribed, but for some reason or other, I didn't get any email notification on this (or any other reply).

No problem!!! It has happened to me as well.

I haven't given up, and I've not been too busy at Boot Camp either. I'm currently finishing up on my last practice log (Avohir's one), and if everything goes well, I should be posting in "Check my post please" soon. :p

Good job!!! Keep it up!!! :thumbsup:

Good news!! Everything seems to be ok!! Thanks for the directions!! :thumbsup:


My pleasure!!! :p

Aczechgurl hit the nail on the head. Using the arrow keys, I was able to scroll down and see my profile at the Safe Mode startup window. Problem solved!!

That is what I call team work!!! :D

Looking forward to working with you (and everyone else here) when I progress further in Boot Camp.

I will be looking forward to have you taking some of those falling logs.

Take care!!! :wave:
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image




Member of UNITE
Support SpywareInfo Forum - click the button