# Recover XP system after trojan attack



## JoeBlack999 (May 12, 2008)

P4 machine
Gigabyte motherboard
1 GB ram
Windows XP home SP2
Audigy soundcard
Nvidia GForce 5600 graphics card.

Got hit with *Virtuamonde* trojan.

Ran a barrage of scans, with Trojan Hunter, Spybot Search and Destroy, Panda Anti-Virus, Adshampoo Firewall (yes, a mixed bag). Even ran *Hitman Pro 2* overnight.

Eventually got system to a usable state, although, not fast, and it ran reasonably well for about a week, then it really slowed up again

Problem is, how to verify if my system is truley clean and to establish what damage to system files etc has to be addressed.


----------



## JoeBlack999 (May 12, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01, on 2008-07-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
D:\Software\Anti_Virus\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {11298E6D-4A10-43E4-894D-F5D9210D451C} - (no file)
O2 - BHO: (no name) - {155AEF9B-C290-475E-AE88-861AAEBD101A} - (no file)
O2 - BHO: (no name) - {34037DC3-6EF5-4101-BF1E-7D5F2A848F7B} - (no file)
O2 - BHO: (no name) - {3E59FF6A-0DC5-48B1-ACA7-F3BD82BF9BF2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {727FBC49-8F5F-475E-8BE2-058DACC50629} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {D1C18077-2B4B-44DF-ACCB-56C04B5024C2} - (no file)
O2 - BHO: (no name) - {D62A2513-0A8B-44F8-8479-3AFFAFC5FF82} - (no file)
O2 - BHO: (no name) - {F73C97CD-769D-41B6-94FA-1A9966AB4284} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall PRO] "C:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\PCL-3000\Driver\WATCH.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8290 bytes


----------



## JoeBlack999 (May 12, 2008)

Machine is slowing up, programs constantly report 'not responding' totally out of ideas - any help / lifeline would be appreciated.


----------



## JoeBlack999 (May 12, 2008)

Bump!


----------



## Cookiegal (Aug 27, 2003)

I have reopened your thread as requested.

Please post a new HijackThis log.


----------



## JoeBlack999 (May 12, 2008)

Programs hanging with the task manager reporting 'not responding' continues. Having to use a trial version of Salamander 2.51 (25 days left) in lie of explorer.

HiJacklog per request, thanks for reopening thread.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13, on 2008-09-29
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Shield\shieldclnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Shield\shieldtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Graham\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: (no name) - {11298E6D-4A10-43E4-894D-F5D9210D451C} - (no file)
O2 - BHO: (no name) - {155AEF9B-C290-475E-AE88-861AAEBD101A} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {34037DC3-6EF5-4101-BF1E-7D5F2A848F7B} - (no file)
O2 - BHO: (no name) - {3E59FF6A-0DC5-48B1-ACA7-F3BD82BF9BF2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {727FBC49-8F5F-475E-8BE2-058DACC50629} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {D1C18077-2B4B-44DF-ACCB-56C04B5024C2} - (no file)
O2 - BHO: (no name) - {D62A2513-0A8B-44F8-8479-3AFFAFC5FF82} - (no file)
O2 - BHO: BhoMisc Class - {E3578B37-6346-4EC1-A82B-38273A100DCF} - (no file)
O2 - BHO: (no name) - {F73C97CD-769D-41B6-94FA-1A9966AB4284} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [shield] C:\Program Files\Shield\shieldtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - 
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219869991812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C43572E-B32C-4041-AFBB-64282F3663FA}: NameServer = 192.168.2.1,192.168.2.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{9C43572E-B32C-4041-AFBB-64282F3663FA}: NameServer = 192.168.2.1,192.168.2.100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - (no file)
O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\Shield\shieldclnt.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11527 bytes


----------



## JoeBlack999 (May 12, 2008)

Should have added, been working on the hardware side of my PC the last few days, added new usb card, new case fan, more memory and a whole new power supply. Also have gone wireless - which was a laugh. Still trying to get a FTP downloader (box of tricks) to work, but this should not have impacted on the problems, as they have been relatively long standing.


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## JoeBlack999 (May 12, 2008)

Error message - log files too big for posting - so I have attached them.

I would be grateful if the usb devices option could be reset to autorun at the end of the process.


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\AR.DAT

DirLook::
C:\WINDOWS\system32\configfix
C:\Drivers
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## JoeBlack999 (May 12, 2008)

Having to attach log files again due to The text that you have entered is too long (43858 characters). Please shorten it to 30000 characters long.


----------



## Cookiegal (Aug 27, 2003)

Did you create some kind of backup folder called configfix on September 25, 2008?

C:\WINDOWS\system32\*configfix*


----------



## JoeBlack999 (May 12, 2008)

RE Configfix - to the best of my knowledge I did not create this - unless it is part of Norton Ghost.


----------



## Cookiegal (Aug 27, 2003)

Do you have a program called Rollback?

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## JoeBlack999 (May 12, 2008)

uninstall list per request.

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 9.0 Professional Edition
Acrobat.com
Adobe Acrobat 8.1.2 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
All Media Fixer 9.04
Altap Salamander 2.51
AnyDVD
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
Canon iP4300
Canon iP4300 User Registration
CCleaner (remove only)
ChapterMaster
CloneCD
CloneDVD2
COWON Media Center - jetAudio Plus VX
Cracklock 3.9.44
Creative MediaSource DVD-Audio Player
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
dBpoweramp [Arrange Audio] Codec
dBpoweramp [Audio Info] Codec
dBpoweramp [Calculate Audio CRC] Codec
dBpoweramp [Channel Split] Codec
dBpoweramp [ID Tag Update] Codec
dBpoweramp [Length Split] Codec
dBpoweramp [Multi Encoder] Codec
dBpoweramp [ReplayGain] Codec
dBpoweramp [Tag From Filename] Codec
dBpoweramp Dalet Codec
dBpoweramp DirectShow Decoder
dBpowerAMP DirectShow Decoder Codec
dBpoweramp DSP Effects
dBpoweramp FLAC Codec
dBpoweramp m4a Codec
dBpoweramp Monkeys Audio Codec
dBpoweramp Mp2 and BwfMp2 codec
dBpoweramp mp3 (Fraunhofer IIS) Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
dBpoweramp Real Audio (Helix) Encoder
dBPoweramp tooLame MP2 codec
dBpoweramp Wave64 Codec
dBpoweramp WavPack Codec
dBpoweramp Windows Media Audio 10 Codec
Diskeeper Professional Edition
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Exact Audio Copy 0.99pb4
FLAC 1.2.1b (remove only)
GEAR 32bit Driver Installer
GEAR driver installer
GEAR Drivers
GoldWave v5.08
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
ImgBurn
InCD
Intel(R) Network Connections Drivers
iTunes
Java(TM) 6 Update 7
Kaspersky Internet Security 7.0
Kaspersky Internet Security 7.0
LiveUpdate 2.0 (Symantec Corporation)
Logitech Desktop Messenger
Logitech QuickCam Software
Logitech® Camera Driver
Magic ISO Maker v5.5 (build 0265)
Magic ISO Maker v5.5 (build 0272)
MagicDisc 2.7.105
MAGIX Audio Cleaning Lab 12 8.0.1.0 (US)
Malwarebytes' Anti-Malware
Mapedit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.0.3)
Mp3tag v2.41
MSXML 4.0 SP2 (KB936181)
Nero 6
Nero Digital
Nero Media Player
Norton Ghost 9.0
Notepad++
PCL -3000 v2.7
PDF Settings
Perfect Uninstaller v5.5
PowerDVD
PowerISO
QuickTime
Rollback Rx
Ruby 0.90.2
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Servant Salamander 2.5 RC1
SnagIt 9
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Sony Ericsson PC Suite
Splat! 1.0
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.1
TeraCopy 2.0 beta 3
TuneUp Utilities 2008
Unlocker 1.8.7
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows Internet Explorer 7 (KB928089)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VirtualCloneDrive
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver
Xilisoft DVD to iPod Converter 5
Xilisoft Video Converter 3
Xilisoft Video Converter Ultimate


----------



## Cookiegal (Aug 27, 2003)

OK, I see you do have Rollback and so the configfix folder is created by that program.

You can uninstall this as it's not needed:

*Logitech Desktop Messenger*

How are things now?


----------



## JoeBlack999 (May 12, 2008)

The main issue now, is having to use the task manager to manually stop explorer processes when they appear to hang. This may be the my documents folder, or moving or copying files. I think they are all related to explorer.exe.


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## JoeBlack999 (May 12, 2008)

*Application data*

Event Type:	Error
Event Source:	Application Hang
Event Category: (101)
Event ID:	1002
Date: 2008-09-30
Time: 21:22
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 65 78 70 6c 6f 72 explor
0018: 65 72 2e 65 78 65 20 36 er.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 35 35 31 32 20 69 6e 20 5512 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 2008-10-01
Time: 18:53
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application WinRAR.exe, version 3.51.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 57 69 6e 52 41 52 WinRAR
0018: 2e 65 78 65 20 33 2e 35 .exe 3.5
0020: 31 2e 30 2e 30 20 69 6e 1.0.0 in
0028: 20 68 75 6e 67 61 70 70 hungapp
0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0038: 20 61 74 20 6f 66 66 73 at offs
0040: 65 74 20 30 30 30 30 30 et 00000
0048: 30 30 30 000

Event Type:	Error
Event Source:	Application Hang
Event Category:	None
Event ID:	1001
Date: 2008-10-01
Time: 18:53
User: N/A
Computer:	HOME-1AFEECE286
Description:
Fault bucket 233642652.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 32 33 33 36 34 32 36 35 23364265
0010: 32 0d 0a 2..

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 2008-10-03
Time: 18:53
User: N/A
Computer:	HOME-1AFEECE286
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 2008-10-03
Time: 20:12
User: N/A
Computer:	HOME-1AFEECE286
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	WmiAdapter
Event Category:	None
Event ID:	4099
Date: 2008-10-04
Time: 01:10
User: HOME-1AFEECE286\Graham
Computer:	HOME-1AFEECE286
Description:
Open of service failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 2008-10-05
Time: 08:42
User: N/A
Computer:	HOME-1AFEECE286
Description:
Faulting application epmworker.exe, version 1.2.0.1236, faulting module ntdll.dll, version 5.1.2600.5512, fault address 0x00036f33.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 70 6d ure epm
0018: 77 6f 72 6b 65 72 2e 65 worker.e
0020: 78 65 20 31 2e 32 2e 30 xe 1.2.0
0028: 2e 31 32 33 36 20 69 6e .1236 in
0030: 20 6e 74 64 6c 6c 2e 64 ntdll.d
0038: 6c 6c 20 35 2e 31 2e 32 ll 5.1.2
0040: 36 30 30 2e 35 35 31 32 600.5512
0048: 20 61 74 20 6f 66 66 73 at offs
0050: 65 74 20 30 30 30 33 36 et 00036
0058: 66 33 33 0d 0a f33..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 2008-10-05
Time: 08:42
User: N/A
Computer:	HOME-1AFEECE286
Description:
Fault bucket 776166368.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 37 37 36 31 36 36 33 36 77616636
0010: 38 0d 0a 8..

Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 2008-10-07
Time: 17:03
User: N/A
Computer:	HOME-1AFEECE286
Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 75 6e 6b 6e 6f 77 6e unknown
0028: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0030: 20 61 74 20 6f 66 66 73 at offs
0038: 65 74 20 30 30 30 30 30 et 00000
0040: 30 30 30 000

Event Type:	Error
Event Source:	pctsSvc.exe
Event Category:	None
Event ID:	0
Date: 2008-10-07
Time: 17:27
User: N/A
Computer:	HOME-1AFEECE286
Description:
The description for Event ID ( 0 ) in Source ( pctsSvc.exe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: The service process could not connect to the service controller.

Event Type:	Error
Event Source:	ShieldClientService
Event Category:	None
Event ID:	200
Date: 2008-10-07
Time: 18:04
User: N/A
Computer:	HOME-1AFEECE286
Description:
The description for Event ID ( 200 ) in Source ( ShieldClientService ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ShieldClientService: 1008., nc.InitCom failed
.

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 2008-10-07
Time: 19:13
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application nero.exe, version 6.6.1.15, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 6e 65 72 6f 2e 65 nero.e
0018: 78 65 20 36 2e 36 2e 31 xe 6.6.1
0020: 2e 31 35 20 69 6e 20 68 .15 in h
0028: 75 6e 67 61 70 70 20 30 ungapp 0
0030: 2e 30 2e 30 2e 30 20 61 .0.0.0 a
0038: 74 20 6f 66 66 73 65 74 t offset
0040: 20 30 30 30 30 30 30 30 0000000
0048: 30  0

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 2008-10-07
Time: 21:54
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application iPodManager.exe, version 1.0.49.925, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 50 6f 64 4d 61 iPodMa
0018: 6e 61 67 65 72 2e 65 78 nager.ex
0020: 65 20 31 2e 30 2e 34 39 e 1.0.49
0028: 2e 39 32 35 20 69 6e 20 .925 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 2008-10-07
Time: 21:54
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application iPodManager.exe, version 1.0.49.925, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 50 6f 64 4d 61 iPodMa
0018: 6e 61 67 65 72 2e 65 78 nager.ex
0020: 65 20 31 2e 30 2e 34 39 e 1.0.49
0028: 2e 39 32 35 20 69 6e 20 .925 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

*
System data*

System

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-08
Time: 19:27
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom2. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-08
Time: 19:27
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom1. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2008-10-08
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-08
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 2008-10-08
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Powert service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	3095
Date: 2008-10-08
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2008-10-07
Time: 22:00
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-07
Time: 22:00
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 2008-10-07
Time: 22:00
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Powert service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Do you have your Windows XP CD?


----------



## JoeBlack999 (May 12, 2008)

Yes, I have myXP disk, however, it does not carry sp2 or sp3, these have been downloaded and installed via the MS update site. I have 'slipstreamed' an xp disk up to sp3. However, I've had problems when Windows ask for "Windoes XP Home Edition Service Pack 3 CD" as I have no such disk and the slipstreamed sp3 disk is called something different.

Hope this help.


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and follow the instructions to run chkdsk:

There can be serveral phases to the chkdsk run and it will reboot automatically when it is finished. Then double click the last "winlogon" entry in the Event Viewer Applications log to open a log of what chkdsk fixed. Then click on the icon that looks like two pieces of paper to copy the report to the clipboard and then paste it in a reply here.

http://www.housing.hawaii.edu/resources/support/chkdsk.htm


----------



## JoeBlack999 (May 12, 2008)

Checkdisk found no problems.

No errors on the Event Viewer - Application tab.

Plenty on the system tab

Error messages

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-10
Time: 22:46
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom1. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-10
Time: 22:46
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom3. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-10
Time: 22:46
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom0. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-10
Time: 22:46
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom2. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 2008-10-10
Time: 22:45
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Portable Media Serial Number Service service failed to start due to the following error: 
The executable program that this service is configured to run in does not implement the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 2008-10-10
Time: 22:45
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Powert service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-10
Time: 22:45
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2008-10-10
Time: 22:45
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	3095
Date: 2008-10-10
Time: 22:44
User: N/A
Computer:	HOME-1AFEECE286
Description:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 
Also, if you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots. *


----------



## JoeBlack999 (May 12, 2008)

Done full scan

Malwarebytes' Anti-Malware 1.28
Database version: 1209
Windows 5.1.2600 Service Pack 3

2008-10-11 02:12:09
mbam-log-2008-10-11 (02-12-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 238646
Time elapsed: 1 hour(s), 42 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

Please run the *F-Secure Online Scanner*

Note: *You must use Internet Explorer for this scan!*


Accept the License Agreement. 
Once the ActiveX installs click *Full System Scan* 
Once the download completes, the scan will begin automatically. 
The scan will take some time to finish, so please be patient. 
When the scan completes, click the *Automatic cleaning (recommended)* button. 
Click the *Show Report* button and copy and paste the entire report in your next reply.


----------



## JoeBlack999 (May 12, 2008)

Unable to use F-secure online scanner.

It loads up its definition files. and the instant it starts to scan - its goodnight for my pc - no blue screen of death, no warning, just a black screen and the system begins to reboot.

I have done a full sfc /scannow
ran Spybot search and destroy
Malwares anti malware
chk disk
driver scanner
I think rollback Rx may be preventing a boot time deframentation.

Currently running a full scan with Kaspersky Internet Security 2009 (fully licensed).

On two occassion over the last two days the pc has simply frozen.

I'm getting worried.

I appreciate the time and effort you are expending on my behalf.

Regards


----------



## Cookiegal (Aug 27, 2003)

When you ran the system file checker did it replace any files?


----------



## JoeBlack999 (May 12, 2008)

Yes, originally I ran it wihout the cd in the drive and it constanly asked for files, I later used a tip I got from the internet - to the effect of copying the i386 folder from the cd to the hard drive and repointing the requests there.

Additional, I found that the amount of freespace reported was very wrong, 6% when it should have been nearer 40%. I eventually had to use an emergency boot cd, to replace the mbr and to defrag.

The space is now reported correctly, but I must have had to use a rollback snapshot as the desktop looks older, but this is minor.


----------



## Cookiegal (Aug 27, 2003)

Please check the Event Viewer log again and post any new errors that have occurred since you ran the system file checker.


----------



## JoeBlack999 (May 12, 2008)

Logs per request.

The main symptom is the fault with explorer, having to use Salamander 2.5RC1

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 2008-10-14
Time: 06:46
User: NT AUTHORITY\SYSTEM
Computer:	HOME-1AFEECE286
Description:
Windows saved user HOME-1AFEECE286\Graham registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	pctsSvc.exe
Event Category:	None
Event ID:	0
Date: 2008-10-13
Time: 22:17
User: N/A
Computer:	HOME-1AFEECE286
Description:
The description for Event ID ( 0 ) in Source ( pctsSvc.exe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: The service process could not connect to the service controller.

Application log

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 2008-10-13
Time: 21:37
User: NT AUTHORITY\SYSTEM
Computer:	HOME-1AFEECE286
Description:
Windows saved user HOME-1AFEECE286\Graham registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

System log

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-15
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom1. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-15
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom3. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-15
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom2. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-15
Time: 19:25
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom0. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-15
Time: 19:24
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2008-10-15
Time: 19:24
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	3095
Date: 2008-10-15
Time: 19:23
User: N/A
Computer:	HOME-1AFEECE286
Description:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-14
Time: 19:58
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

I'm going to ask someone else to take a look at those errors for us.


----------



## Rollin' Rog (Dec 9, 2000)

There are two possibly signifcant "errors" there, one of which I've seen many times before and is usually easily resolveable. The other, I've never seen before and don't know precisely what you are running that it relates to.

The first is the Userenv errors -- often related to shutdown issues where processes are not completed in a timely fashion and bad data in the registry can be left in a particular User Profile.

Try installing this >>

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

The Second has to do with Removeable Storage Manager -- which apparently is associated with a backup program. What backup program are you using?

There is a general description of the issue (written for Win2k) and a complex resolution method described here which most involves renaming the old database files, but I don't expect you to try to follow it unless we can relate these errors to a specfic application first.

http://support.microsoft.com/?id=235032

The "Removable Storage Manager" (RSM) service (run: *services.msc*) and be stopped if running -- but normally itis on manual and would not be running.

The log can be purged by first backing up and then renaming or deleting the contents of this folder and rebooting >>

C:\Windows\System32\ntmsdata


----------



## JoeBlack999 (May 12, 2008)

Put services on manual.

ran : http://www.microsoft.com/downloads/d...displaylang=en

The backup programs I use are Nero back it up (version 6) and Norton ghosts Version 9 - dont have any regular scheduled backups - just as and when.

Thanks for continuing to look at the issues.


----------



## Rollin' Rog (Dec 9, 2000)

Have the backups been completing without error?

We can give the suggested fix a try.

To do this, first run *services.msc* and locate the Removable Storage Manager service.

Mine is set on "manual" so I assume yours should be too. Normally it would not be running, but if it is, you can stop it from that interface.

With RSM stopped, navigate to *C:\Windows\System32\ntmsdata*

You can either backup and then delete the files in that directory -- or just rename them.

Then reboot. Try doing a manual backup again and see if there are any problems and afterwards check the Event Viewer again and see if there is a new error of that type corresponding to the time you did the backup.

Also check the Applications log and see if there are any new "Userenv" errors -- there shouldn't be.

Let me know what specirfic problems you are currently having so I can try to possibly relate them to any issues covered in the Event Viewer.

*Regarding this error >>*

_Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 2008-10-14
Time: 19:58
User: N/A
Computer: HOME-1AFEECE286
Description:
The Human Interface Device Access service terminate
d with the following error: 
The system cannot find the file specified._

*Are you having any problems with MIce or Keyboards?*

In the Device Manager (run: *devmgmt.msc*) are any problems indicated under Human Interface Devices?


----------



## JoeBlack999 (May 12, 2008)

_You mentioned RollBack Rx, this hopefully is not causing any problems as it has saved my bacon on a number of occassions and I have only good things to say about this program._

Backed up

C:\Windows\System32\ntmsdata

Did a Norton Ghost re-image and the backup worked.

Application log errors (last 48 hours)

Event Type:	Error
Event Source:	Norton Ghost 9.0
Event Category:	High Priority 
Event ID:	100
Date: 2008-10-24
Time: 20:33
User: N/A
Computer:	HOME-1AFEECE286
Description:
Description: Unable to successfully reconcile changes since last session. Unable to enumerate the current drives on this system.
Cannot initialize the Storage Management Engine.
Error E7C3000F: Device \\.\PhysicalDrive2 cannot read 1 sectors starting at LBA 741. Error 00000002: The system cannot find the file specified.
Details: 0xE7C3000F
Source: Norton Ghost 9.0

*
This may relate to a new external drive I have added, it was rescued from an old pc and fitted to a USB caddy. *

*Not an error but a warning*
Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 2008-10-24
Time: 20:04
User: NT AUTHORITY\SYSTEM
Computer:	HOME-1AFEECE286
Description:
Windows saved user HOME-1AFEECE286\Graham registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Hang
Event Category:	None
Event ID:	1001
Date: 2008-10-24
Time: 08:17
User: N/A
Computer:	HOME-1AFEECE286
Description:
Fault bucket 734037209.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 37 33 34 30 33 37 32 30 73403720
0010: 39 0d 0a 9..

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 2008-10-24
Time: 08:17
User: N/A
Computer:	HOME-1AFEECE286
Description:
Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 65 78 70 6c 6f 72 explor
0018: 65 72 2e 65 78 65 20 36 er.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 35 35 31 32 20 69 6e 20 5512 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type:	Error
Event Source:	Application Hang
Event Category:	None
Event ID:	1001
Date: 2008-10-24
Time: 07:57
User: N/A
Computer:	HOME-1AFEECE286
Description:
Fault bucket 735639368.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 37 33 35 36 33 39 33 36 73563936
0010: 38 0d 0a 8..

*System*

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 2008-10-25
Time: 08:12
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Human Interface Device Access service terminated with the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7001
Date: 2008-10-25
Time: 08:12
User: N/A
Computer:	HOME-1AFEECE286
Description:
The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	NETLOGON
Event Category:	None
Event ID:	3095
Date: 2008-10-25
Time: 08:12
User: N/A
Computer:	HOME-1AFEECE286
Description:
This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-24
Time: 20:37
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom3. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-24
Time: 20:37
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom0. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-24
Time: 20:37
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom2. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Removable Storage Service
Event Category:	None
Event ID:	15
Date: 2008-10-24
Time: 20:37
User: N/A
Computer:	HOME-1AFEECE286
Description:
RSM cannot manage library CdRom1. The database is corrupt.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Rollin' Rog (Dec 9, 2000)

Looks like just more of the same.



> Did a Norton Ghost re-image and the backup worked.


Meaning that you "created" a new backup, but did not "restore"? I didn't actually want you to try a restore -- just the backup.

Can you verify what "drives" you are asking Norton to backup and whether they are all present and accounted for? It sounds like you have it looking for something that it can't find or has corrupt data.



> Description: Unable to successfully reconcile changes since last session. Unable to enumerate the current drives on this system.





> RSM cannot manage library CdRom*


I don't know what "libraries" *CdRom* *is referring to, do you have something configured for backup that are designated as "CdRom" drives?

I assume after you backed up C:\Windows\System32\ntmsdata, you then proceeded to delete ntmsdata before attempting a full drive backup?

I don't know of any other fix for this issue -- which apparently is only cluttering your event viewer rather than creating a show stopping error.

This should not be occuring if "uphclean.exe" is installed and seen as a process in your tasklist >>

Event Type: Warning
Event Source: Userenv

Can you install this again, reboot, and then post a new HijackThis scanlog >>

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

I don't think the other errors are particularly significant -- you may have a wireless device not connected which is causing some of these:



> Description:
> The Wired AutoConfig service depends on the Extensible Authentication Protocol Service service which failed to start because of the following error:
> The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


Finally, the "HID" errors (Human Interface Devices) -- any issues with that in the Device Manager showing?


----------



## JoeBlack999 (May 12, 2008)

Sorry for the long delay in responding:

Checked Norton Ghost only my two main internal drives, both 80gig have any backup job reference.
_
I assume after you backed up C:\Windows\System32\ntmsdata, you then proceeded to de
lete ntmsdata before attempting a full drive backup?_

Followed the instructions as indicated.

_RE : This should not be occuring if "uphclean.exe" is installed and seen as a process in your tasklist[
/I]

Will do and repost in a few minutes._


----------



## JoeBlack999 (May 12, 2008)

HiJackLog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:39, on 10/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Shield\shieldclnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Shield\shieldtray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Servant Salamander 2.5 RC1\SALAMAND.exe
D:\Utilities\HiJackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = >>> 'Full Speed' Enabled <<<
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: BhoMisc Class - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [shield] C:\Program Files\Shield\shieldtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219869991812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\Shield\shieldclnt.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 12614 bytes


----------



## JoeBlack999 (May 12, 2008)

Also checked, no Human Interface Problems now shown.


----------



## JoeBlack999 (May 12, 2008)

Bump.


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\*

Reboot and post a new HijackThis log please.


----------



## JoeBlack999 (May 12, 2008)

I did remove the entry - 
O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\

but it resufaced after reboot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45, on 24/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Shield\shieldtray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Shield\shieldclnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Xilisoft\Video Converter Ultimate\vc5.exe
C:\Program Files\Xilisoft\Video Converter Ultimate\avp.exe
C:\Program Files\Xilisoft\Video Converter Ultimate\avc.exe
D:\Utilities\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: BhoMisc Class - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [shield] C:\Program Files\Shield\shieldtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219869991812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: geBqRjHy - C:\WINDOWS\
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\Shield\shieldclnt.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 13312 bytes


----------



## Cookiegal (Aug 27, 2003)

Please disable Spybot S&D TeaTimer, as it may be interfering with the changes we want to make. You can enable it again when we're finished.

To disable Spybot S&D TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Close SpyBot S&D

Then fix that entry in HijackThis again and post the new log please.


----------



## JoeBlack999 (May 12, 2008)

Disabled spybot teatimer, made changes, re-ran - log listed below - thanks for your continued help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28, on 26/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Shield\shieldclnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Shield\shieldtray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HFSUploader\HFSUploader.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\Program Files\iPod\bin\iPodService.exe
D:\Utilities\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: BhoMisc Class - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [shield] C:\Program Files\Shield\shieldtray.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HFSUploader] C:\Program Files\HFSUploader\HFSUploader.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219869991812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\Shield\shieldclnt.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 11406 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now?


----------



## JoeBlack999 (May 12, 2008)

Windows explorer still hangs. I can work around the issue using an alternative file browser. As is, the system works. On balance, until, and if, something else majoy happens that would require a rebuild and reinstall (clean) of XP etc, it may be worth closing this thread. Not to admit defeat but just to weigh up the amount help you have already provided versus bypassing Windows explorer.

In any event, thank you for your efforts, my PC is stable and usable - can't ask more than that.


----------



## Cookiegal (Aug 27, 2003)

I hate compromising though so let's continue and see if we can find the problem.

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All Users*
Under Drivers select the radio button for *All*
Under Rootkit Search select the radio button for *Yes*
Check the Radio buttons for Files/Folders Created Within *60 Days* and Files/Folders Modified Within *60 Days. These are the defaults so don't make any changes.* 
Under Additional Scans check the following:
Reg - BotCheck
Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Software Policy Settings
Evnt - EventViewer Logs (last 10 errors)

Now click the *Run Scan* button on the toolbar.
The program may be scanning large amounts of data so depending on the scans requested and your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload the Notepad file here as an attachment please.


----------



## JoeBlack999 (May 12, 2008)

OTScanIT log for you. Thanks.


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Driver Services - All]
YY -> (ASFWHide) ASFWHide [Kernel | On_Demand | Stopped] -> %UserProfile%\Local Settings\TEMP\ASFWHide
YY -> (DrvFltIp) DrvFltIp [Kernel | On_Demand | Stopped] -> %UserProfile%\Local Settings\TEMP\DrvFltIp
YY -> (srescan) srescan [Kernel | Boot | Stopped] -> %SystemRoot%\system32\ZoneLabs\srescan.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> avldr -> 
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4064EA35-578D-4073-A834-C96D82CBCF40} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1004\] > -> HKEY_USERS\S-1-5-21-2052111302-1606980848-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4064EA35-578D-4073-A834-C96D82CBCF40} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
[Files/Folders - Created Within 60 days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 60 days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\Documents and Settings\Graham\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Graham\Local Settings\temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
Also, please let me know what files are in this folder:

C:\*Sys_XP*

Lastly, please export a registry key for me. To do that:

Go to *Start *- *Run *then copy and paste the following and click OK:

*regedit /e C:\look.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AA48D02-9E08-A2F5-6652-605F07995322"*

It will create a report at C:\look.txt. Please copy and paste the entire text of that file and wrap it in code tags please.


----------



## JoeBlack999 (May 12, 2008)

sys-xp file contains a rar backup of a number of drivers.

OT scan log attached. 


look txt in next reply


----------



## JoeBlack999 (May 12, 2008)

Look txt - tried several times to cut and paste the code you supplied - no look.txt surfaced on the c drive.


----------



## Cookiegal (Aug 27, 2003)

I've shortened the command to run so please use this one and see if it creates the C:\look.txt.

regedit /e C:\look.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"


----------



## JoeBlack999 (May 12, 2008)

```
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AA48D02-9E08-A2F5-6652-605F07995322}]
"abgnkkglcmeaiohafceclcoinleaobaope"=hex:69,61,6c,6f,62,65,62,68,61,6d,67,6b,\
  65,68,6c,6f,67,65,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AA48D02-9E08-A2F5-6652-605F07995322}]
"abgnkkglcmeaiohafceclcoinleaobaope"=hex:69,61,6c,6f,62,65,62,68,61,6d,67,6b,\
  65,68,6c,6f,67,65,00
```


----------



## Cookiegal (Aug 27, 2003)

I'm sorry but I can't use the text in that format. You need to wrap it in code tags.

I see you tried but that's not correct.

Copy and paste the text and then click on the # sign in the tool bar of the reply box.


----------



## JoeBlack999 (May 12, 2008)

```
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AA48D02-9E08-A2F5-6652-605F07995322}]
"abgnkkglcmeaiohafceclcoinleaobaope"=hex:69,61,6c,6f,62,65,62,68,61,6d,67,6 b,\
65,68,6c,6f,67,65,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AA48D02-9E08-A2F5-6652-605F07995322}]
"abgnkkglcmeaiohafceclcoinleaobaope"=hex:69,61,6c,6f,62,65,62,68,61,6d,67,6 b,\
65,68,6c,6f,67,65,00
```


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixJoe.zip file. Save it to your desktop. Unzip it and double-click the FixJoe.reg file and allow it to merge into the registry.

Then please reboot the machine and do another export of the same registry key as you did before please.


----------



## JoeBlack999 (May 12, 2008)

```
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
```


----------



## Cookiegal (Aug 27, 2003)

OK, that's good.

Can you post a new HijackThis log and tell me how things are now please?


----------



## JoeBlack999 (May 12, 2008)

Windows explorer seems to be working - so far so good.

Did you identify the cause of the error? Log file below. As always, thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45, on 23/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Shield\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Shield\shieldclnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Shield\shieldtray.exe
C:\Program Files\HFSUploader\HFSUploader.exe
C:\Program Files\HACE\Mmm\Mmm.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\TechSmith\SnagIt 9\Snagit32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Utilities\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [shield] C:\Program Files\Shield\shieldtray.exe
O4 - HKLM\..\Run: [HFSUploader] C:\Program Files\HFSUploader\HFSUploader.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Mmm] "C:\Program Files\HACE\Mmm\Mmm.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O4 - Global Startup: Snagit 9.lnk = C:\Program Files\TechSmith\SnagIt 9\Snagit32.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1216178441656
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219869991812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15102/CTPID.cab
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SHDSERV - Unknown owner - C:\Program Files\Shield\shdserv.exe
O23 - Service: Shield Client Service (ShieldClientService) - Unknown owner - C:\Program Files\Shield\shieldclnt.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 11212 bytes


----------



## Cookiegal (Aug 27, 2003)

You should uninstall Cracklock. It wasn't showing in your previous HijackThis log but it was in the uninstall list.

What error are you referring to?


----------



## JoeBlack999 (May 12, 2008)

Cracklock was installed for a single reason - I purchased ShrinkMyTunes from play.com. The package contained a CD which, in effect, was a link to the mandatory registration form. Via this registration a code and download link for the program was made available. Now it seems that the company has gone bust, or it may be more suspicious based on various google searched I've made. Basically with my recent PC problems I required to re-register the program, however, with the registration site gone, the program and my hard earned cash have 'down the plug-hole'. I stumbled on Cracklock - which I admit does sound like a program to cheat software authors, but have a look at its site. This has allowed me to continue using my paid for program. Sorry to be long winded but I wanted to emphasise that I am not out to have free ride and software author's expenses.

The error I referred to was just trying to pin point the cause of the explorer problems, if it is something I am doing wrong I will try to avoid it.

Unfortunately explorer is still hanging, but perhaps noteworthy; it was stable for a time after your last fix but began to become unstable then became as bad as ever. There was definitely a noticeable deterioration.


----------



## Cookiegal (Aug 27, 2003)

Please remove Combofix by dragging and dropping it into the recycle bin and then get the latest version and run another scan please.


----------



## JoeBlack999 (May 12, 2008)

Happy New Year for 2009.


Combo fix log file too large for pasting, so I have attached it instead.

Regards


----------



## Cookiegal (Aug 27, 2003)

Please locate this and tell me if it's a folder or an actual file. If it's a folder, please tell me the names of the files it contains.

c:\windows\*59991D18A98845ABB1BF5ADE6E64CD3F.TMP*

Do you still have Boost Windows, Reg Cure and other registry cleaners and tweak programs? I think these cause more harm than good and recommend uninstalling them.

I'm attaching a FixJoe2.zip file. Save it to your desktop. Unzip it and double click the FixJoe2.reg file and allow it to merge with the registry.

Reboot and post a new HijackThis log please.


----------



## JoeBlack999 (May 12, 2008)

c:\windows\59991D18A98845ABB1BF5ADE6E64CD3F.TMP

Is a folder it contains the following:

WiseCustomCalla2.dll
WiseCustomCalla.dll

Google indicates:

WiseCustomCalla.dll (VirusScan Config Utility)WiseCustomCalla.dll (VirusScan Config Utility) is a component from the software McAfee VirusScan version 4.5.0 by Network Associates, Inc..

Also had a cull of the software you mentioned in your last post.

Dont have McAfee installed.


----------



## Cookiegal (Aug 27, 2003)

Other programs use those files too it seems. Let's run them through an on-line scanner.

Go to the following link and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

c:\windows\59991D18A98845ABB1BF5ADE6E64CD3F.TMP\WiseCustomCalla2.dll
c:\windows\59991D18A98845ABB1BF5ADE6E64CD3F.TMP\WiseCustomCalla.dll

Also, please do this:

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## JoeBlack999 (May 12, 2008)

Online scanner results:

File: WiseCustomCalla2.dll 
Status: OK 
MD5: 0a6efd93d9a1390962b09e118103c230 
Packers detected: -

Scanner results 
Scan taken on 07 Jan 2009 18:18:45 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
G DATA Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

File: WiseCustomCalla.dll 
Status: OK 
MD5: 53fcb61337eef6a84c3b79e15aae0f07 
Packers detected: -

Scanner results 
Scan taken on 07 Jan 2009 18:25:03 (GMT) 
A-Squared Found nothing 
AntiVir Found nothing 
ArcaVir Found nothing 
Avast Found nothing 
AVG Antivirus Found nothing 
BitDefender Found nothing 
ClamAV Found nothing 
CPsecure Found nothing 
Dr.Web Found nothing 
F-Prot Antivirus Found nothing 
F-Secure Anti-Virus Found nothing 
G DATA Found nothing 
Ikarus Found nothing 
Kaspersky Anti-Virus Found nothing 
NOD32 Found nothing 
Norman Virus Control Found nothing 
Panda Antivirus Found nothing 
Sophos Antivirus Found nothing 
VirusBuster Found nothing 
VBA32 Found nothing

HiJack uninstall list

1-Click YouTube Downloader 2.0
ABBYY FineReader 9.0 Professional Edition
Acrobat.com
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Alien Skin Blow Up
Alien Skin Exposure
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
Alien Skin Image Doctor 1.0
Alien Skin Snap Art
Alien Skin Xenofex 2.0
Alky for Applications (Windows XP)
All Media Fixer 9.04
Altap Salamander 2.51
AnyDVD
Apple Mobile Device Support
Apple Software Update
Aspell English Dictionary-0.50-2
Audible Download Manager
AudibleManager
Bluesoleil 6.4.240.2
Bonjour
BroadJump Client Foundation
Canon iP4300
Canon iP4300 User Registration
CCleaner (remove only)
ChapterMaster
CloneCD
CloneDVD2
COBY MP-C440 MP3 Player
CoffeeCup Direct FTP
CompuApps SwissKnife V3
ConvertXtoDVD 3.3.4.106c
Core Training for Microsoft® Office Excel 2003 
COWON Media Center - jetAudio Plus VX
Cracklock 3.9.44
Creative Audio Console
Creative MediaSource DVD-Audio Player
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
CyberLink PowerDVD8
dBpoweramp [Arrange Audio] Codec
dBpoweramp [Audio Info] Codec
dBpoweramp [Calculate Audio CRC] Codec
dBpoweramp [Channel Split] Codec
dBpoweramp [ID Tag Update] Codec
dBpoweramp [Length Split] Codec
dBpoweramp [Multi Encoder] Codec
dBpoweramp [ReplayGain] Codec
dBpoweramp [Tag From Filename] Codec
dBpoweramp Dalet Codec
dBpoweramp DirectShow Decoder
dBpowerAMP DirectShow Decoder Codec
dBpoweramp DSP Effects
dBpoweramp FLAC Codec
dBpoweramp m4a Codec
dBpoweramp Midi Decoder
dBpoweramp Monkeys Audio Codec
dBpoweramp Mp2 and BwfMp2 codec
dBpoweramp mp3 (Fraunhofer IIS) Codec
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
dBpoweramp Real Audio (Helix) Encoder
dBPoweramp tooLame MP2 codec
dBpoweramp Wave64 Codec
dBpoweramp WavPack Codec
dBpoweramp Windows Media Audio 10 Codec
Diskeeper Professional Edition
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Audio Extractor 4.4.1
Easy-WebPrint
Exact Audio Copy 0.99pb4
FormatFactory
Gadget Installer
GEAR 32bit Driver Installer
GEAR driver installer
GEAR Drivers
Genuine Fractals 5.0
GNU Aspell 0.50-3
GoldWave v5.08
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HyperFileShare Easy Uploader
iColorFolder
IE Privacy Keeper
InCD
Intel(R) Network Connections 13.2.8.0
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
K-Lite Codec Pack 4.1.7 (Full)
Kyodai Mahjongg 2006 v1.42
LiveUpdate 2.0 (Symantec Corporation)
Magic ISO Maker v5.5 (build 0265)
Magic ISO Maker v5.5 (build 0272)
MAGIX Audio Cleaning Lab 14 Download version 9.0.2.0 (US)
Malwarebytes' Anti-Malware
Mapedit
Medieval CUE Splitter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Recent Documents Gadget
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.5)
Mp3tag v2.42
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 6
Nero Digital
Nero Media Player
Norton Ghost 9.0
Notepad++
Orbit Downloader
PCL -3000 v2.7
PDF Settings
PeerGuardian 2.0
Perfect Uninstaller v5.5
QuickTime
RAR Repair Tool v.4.0
RealPlayer
Rollback Rx
Ruby 0.90.2
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Servant Salamander 2.5 RC1
ShrinkMyTunes
Snagit 9.1
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Sony Ericsson PC Suite
Splat! 1.0
Spybot - Search & Destroy
SpywareBlaster 4.1
TuneUp Utilities 2009
Uniblue DriverScanner 2009
Unlocker 1.8.7
Update for Windows Internet Explorer 7 (KB928089)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
User Profile Hive Cleanup Service
VirtualCloneDrive
VLC media player 0.9.8a
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Sidebar
Windows XP Service Pack 3
WinRAR archiver
Xilisoft DVD to iPod Converter 5
Xilisoft Video Converter 3
Xilisoft Video Converter Ultimate
XQDC X-Setup Pro 9.0.100


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*Java(TM) 6 Update 7*

Those files appear harmless although I can't be sure what program they are associated with.

How are things?


----------



## JoeBlack999 (May 12, 2008)

Java(TM) 6 Update 7 removed, system seem stable, will give it a work out and get back with a response.

Thanks for your help.


----------



## Cookiegal (Aug 27, 2003)

Please do that and post back here if you have any problems over the next few days.

I would also remove any old programs that you no longer need or use.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combo-Fix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start* - *All Programs* - *Accessories* - *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## JoeBlack999 (May 12, 2008)

Please forgive my tardiness at responding. My system is now stable, thank you for your efforts and attention in resolving my PC worries.


----------



## Cookiegal (Aug 27, 2003)

You're quite welcome.


----------

