Win 7 Security 2011 $59.95 - Urgent Help Please

RussJK

Run HijackThis again and see if these two entries are still there. If they are, then check the box next to both of them, and press the 'Fix Checked' button down the bottom:
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Consumer Input\dca-bho.dll
O4 - HKCU\..\Run: [Consumer Input Update] C:\Program Files (x86)\Consumer Input\dca-ua.exe


Do you have more than one Windows Live/MSN account? If not, you can Check this in HijackThis, and press "Fix Checked"
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


Do you use the Toshiba Media Controller? Some people find it annoying. You can take it off your browser by Checking this in HJT and pressing 'Fix Checked':
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll


Do you use Shop and scan? It seems a bit like the Consumer Report program - unnecessary and a privacy risk. I would check this in HijackThis, then press 'Fix Checked'
O16 - DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} (TNSClickerc.Clicker) - http://www.shopandscan.com/TNSClickrc.CAB


Press Start, Control Panel > Java > Advanced > miscellaneous, then untick the Java Quick starter, to stop Java updater from running the whole time.

Press Start, then type in msconfig and press enter. Go to the Startups tab up the top, and untick these items to stop them automatically running on Windows bootup:
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" (should be unticked or gone already)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"


Do you use the Windows sidebar? If not, you can untick these in msconfig to stop it loading up:
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')


I can't really find any information on what the Toshiba Online Product Information program is, but it really doesn't seem necessary. Personally I would uninstall it:
Start > Control Panel > Programs and features, then look for the Toshiba Online Product Information and uninstall it. Alternatively you could untick it in Msconfig, and just see if you miss anything:
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe (User 'Default user')

This is the program from Toshiba that reminds you to create a recovery disk. Supposedly it's also needed to make the disk. If you haven't already made a recovery disk, it would be worthwhile to do one, and then Untick this in MSCONFIG so its not always running:
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files (x86)\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user')



After you do all this, please post a new HijackThis log.

[Deleted User]

I'll do this right now, RussJK - thank you for giving this so much of your time.

Crimson

[Deleted User]

RussJK - Would you believe Ihave been doing everything you suggested non stop since 12.20 pm? I managed to remove most of what you suggested, I think, apart from 02 BHO: Windows Live ID Sign-in Helper and 02 BHO: TOSHIBA Media Controller Plug-in.

After exhaustive attempts (There was a notice saying that Windows Task Manager for some reason denied write access to the Hosts file.)
I tried to remove them manually but still with no success.

Finally (and most frustratingly because of my own lack of skill) I was completely unable to copy or/and past the result of HijackThis - although I had ticked to keep a copy of the log. I don't know what I am doing wrong because I managed to copy and paste it before. - but I really have tried! This time I could not see any link to let me copy or paste - I even tried 'analyze this' but that was unsuccessful too.

I'm very sorry to be a nuisance but any help will be appreciated,
thank you.

Unfortunately Ihave to go out soon or I would (after a cup of tea!) persevere at present. I am so eager to try.

I'll be logging off now because I have to go out and won't be back till much later - thank you again.

Crimson

RussJK

Deleted_User wrote: »

RussJK - Would you believe Ihave been doing everything you suggested non stop since 12.20 pm? I managed to remove most of what you suggested, I think, apart from 02 BHO: Windows Live ID Sign-in Helper and 02 BHO: TOSHIBA Media Controller Plug-in.

After exhaustive attempts (There was a notice saying that Windows Task Manager for some reason denied write access to the Hosts file.)
I tried to remove them manually but still with no success.

Oh no, I didn't realise you were still working at it! It's not so critical that it's something worth taking so much of your time, but still good to learn if you are interested.

Shouldn't be trying to write to the hosts though, unless it was just the message from Hijackthis when it's not run as administrator...

Best to run Hijackthis from the file saved to the desktop, rather than installing it really. You can go back to my previous posts in this thread for how to run Hijackthis properly if you like.

When you run Hijackthis, it normally pops up the log in notepad if you've selected the 'scan and save a log' option. It's separate to the one that appears in the program itself with the checkboxes etc. It'll have saved a log as hijackthis.log, just check the time it mentions at the top to make sure its the one you had just done.

aliEnRIK

Did you change the name of this file yourself?
2011-02-21 19:55 . 2011-02-21 19:55 940544 ----a-w- c:\users\Christine\AppData\Local\l!!!cxx.dll

[Deleted User]

aliEnRIK wrote: »

Did you change the name of this file yourself?
2011-02-21 19:55 . 2011-02-21 19:55 940544 ----a-w- c:\users\Christine\AppData\Local\l!!!cxx.dll

No, aliEnRIK, I didn't change the name myself - I really would not know how too. My skills are not good but I am learning. What does it mean - the file above, please?

Crimson.

[Deleted User]

RussJK wrote: »

Oh no, I didn't realise you were still working at it! It's not so critical that it's something worth taking so much of your time, but still good to learn if you are interested.

Shouldn't be trying to write to the hosts though, unless it was just the message from Hijackthis when it's not run as administrator...

Best to run Hijackthis from the file saved to the desktop, rather than installing it really. You can go back to my previous posts in this thread for how to run Hijackthis properly if you like.

When you run Hijackthis, it normally pops up the log in notepad if you've selected the 'scan and save a log' option. It's separate to the one that appears in the program itself with the checkboxes etc. It'll have saved a log as hijackthis.log, just check the time it mentions at the top to make sure its the one you had just done.

Thank you again RussJK. I was so very spooked with all the problems before that I am now all too eager to get sorted.

I'll do as you suggest re HijackThis - hopefully I'll be able to report back with the log this time!

Crimson

[Deleted User]

Deleted_User wrote: »

Thank you again RussJK. I was so very spooked with all the problems before that I am now all too eager to get sorted.

I'll do as you suggest re HijackThis - hopefully I'll be able to report back with the log this time!

Crimson

Success this time, RussJK. I must have brain block because I failed to follow your earlier instructions. Here is the latest log from HiJackThis performed just a few minutes ago:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:01:54, on 10/05/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Users\Christine\Downloads\HijackThis (1).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (file missing)
O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files (x86)\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {EBB176D2-AF75-4706-832F-4C8448F72757} (TNSClickerc.Clicker) - http://www.shopandscan.com/TNSClickrc.CAB
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7237 bytes


As you suggested, RussJK, I haven't ticked anything - just posted the log. I really appreciate all the time and effort you are putting in.

Crimson

GunJack

turn off spybot's teatimer - open spybot > on the Mode (next to File, top bar)> click Advanced > Tools > Resident and untick the box for teatimer.

Are you running 32- or 64-bit Windows 7 ?? hjt log looks like it's 64-bit, but run whichever version of the AVG removal tool (1st or 2nd on the list) as a previous log showed traces of AVG. When you uninstall it it leaves bits behind:-

http://www.avg.com/gb-en/download-tools

be careful of the many (file missing) entries in hjt, as this is common on 64-bit systems, and fixing these may leave your system knackered

RussJK

The log looks much better Glad you've been able to get this far. Still got the shop and scan activex object in there, but if you use the site then it'll keep getting installed anyway. Edit: we'll go with removing teatimer

Edit: What antivirus do you have installed by the way?

Actually is your version of SuperAntiSpyware the paid version with the realtime blocking? Or is it the free version that only allows manual on-demand scans. Might be worth setting that not to start at boot time, as it has no need to be running unless you decide to do a scan. If you go into the Superantispyware settings, then you just uncheck the 'start superantispyware when windows starts' bit like in this picture:
http://i1-win.softpedia-static.com/screenshots/SUPERAntiSpyware_4.png