Weird icon in system tray + Boot Problems

You should attempt to follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

If still having a problem after the above, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

 

The procedure clearly stated that if you cannot run in safe mode (for whatever reason) to run the steps in normal boot mode.

We did not ask you to do a system restore. We asked you to disable system restore.

 

You said " I couldn't boot in safe mode to finish the rest of the inital spyware scan."
Which meant to me you did not finish the scans. I do not see any sign of the online scans being run, so that still means they were not run.

 

Why are you running msconfig at startup? Are you using it to do a selective startup? If so, you should let everything run normally so we can see all of the items that would normally load. You could be hiding problems we need to see. I'm talkin about this line in your log.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Is this ProxyServer something you have setup and need?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=cache1.midco.net:3128


Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
?ttrib.exe


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {42D86F7A-BA1C-59CF-8407-6D5504F5733C} - C:\WINDOWS\system32\qiid.dll (file missing)
O2 - BHO: (no name) - {81C2F84F-7860-FF73-60B8-AA9A17ADA690} - C:\WINDOWS\System32\vrslotvb.dll
O2 - BHO: (no name) - {DB9F9735-00FE-282A-D13B-04C5367E45B0} - C:\WINDOWS\system32\juhesfii.dll
O4 - HKLM\..\Run: [igcjjlcf] C:\WINDOWS\wnaznrgi.exe

O4 - HKLM\..\Run: [sfikcblswk] C:\WINDOWS\system32\bslrqr.exe

You should uninstall SpywareKilla. It is on a list of rogue/suspect spyware removal tools. See this link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe" /s

O4 - HKCU\..\Run: [Ease] C:\Documents and Settings\Administrator\Application Data\oesb.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
m.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19bd54c724f9afb48922/netzip/RdxIE601.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\vrslotvb.dll
C:\WINDOWS\system32\juhesfii.dll
C:\Documents and Settings\Administrator\Application Data\oesb.exe

Empty your C:\Windows\Prefetch folder and your Recycle Bin

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I thought it was something you installed. That's why I skipped it. You have other problems though. See my post below of things that need to be fixed.

Look in Add/Remove program for something relating to HyperTechnologies or Deep Freeze.
If found, uninstall it. If that does not work, we will use HJT to remove it. Let me know.

 

Does the system tray icon for Deep Freeze allow you to disable it?

 

Try bringing up Task Manager and right click the below processes and select End process tree.
DfServEx.exe
FrzState.exe

Does that work?

 

I would like you to goto SysInternals and download ProcessExplorer: http://www.sysinternals.com/files/procexpnt.zip

Unzip it to a folder and run it. Try using it to kill those processes.

 

According to what I have read this is a program that people install themselves. Normally installed by an Administrator. It is not considered malware in anything I have read. It's rather strange that you cannot kill it or uninstall it. Are you logged in as the Administrator?

 

That may be the start of the problem with removing it. I have read that if you don't end the program first before trying to remove certain items, it will respawn and now you have no way to remove it.


What is showing in your Startup list? You can Generate a StartupList log using HijackThis.

Run HJT, select Config on lower right. In the next window first select 'List also minor sections (full)' and then choose 'Generate StartupList log' and save it to a .txt file so you can post it back here as an attachment.

 

Click Start, Run, and enter Services.msc then look thru the list of services. Do you see this stuff in the services list?

 

You must stop it by right clicking on it then select stop. Now disable it by right clicking on it and selecting Properties. Then in the General tab see the area that says "Startup type: " click on the pull down arrow and change it to Disabled.

Now let's see what happens. Try ending the running processes now with ProcessExplorer.

 

Yes, see if it can be disabled.

 

You're welcome! But in a couple minutes I have to get some sleep! It's 2:30 am here and my eyes are getting blurry and my fingers are getting tired . It's been busy here tonight.

 

Okay try rebooting your PC and see what happens. The service we killed may be the thing that starts everything up. Without the service starting, the other program may not even run anymore. On the otherhand, they may all reload after reboot. If so, we may need to have something like Pocket Killbox try to delete those files upon Windows startup. Let's see.

I'm signing off now. Talk with you later tomorrow (today).

 

I know you said you tried System Restore, but did you try going to a restore point before Nov 27th?
Also, before doing that Stop & Disable the service again.

 

This is all too strange. How did this application get installed on your PC without your knowledge? Thi s does not sound like malware that would do that. Someone had to install it. Was this always your PC?

Check to see if the password is just empty (just hit return). You may need to get in touch with this company to find out how to recover from a lost password and how to uninstall it.

 

That maybe true. And for that matter, I don't know that either.

 

I did not have time to read all of this but maybe you will find this interesting:

http://forum.hackinthebox.org/viewtopic.php?p=5384