# Solved: Explorer keeps refreshing desktop



## HOBOcs (Jan 5, 2004)

IBM Thinkpad T41 - WinXP Pro SP2 (just loaded)

Issue: On startup - desktop not displayed (blank after windows splash scree)
however I can CTRL-ALT-DEL and get to taskmanager and then run explorer.exe
Desktop then appears but it refreshes constantly as if something is shutting it down.

I monitered the Task processes and saw "verclsid.exe" briefly flicker just before explorer shout down and restart - not sure if this is a redherring or not - did a MS KB look up and saw something related to verclsid and security update 908531.

Not sure if this is a result of a virus corruption (windows registry).
Attached a HJT for review but I suspect more info is required.

Tried so far:
Ran usual Anti-virus and Anti-Spyware - tried sfc / scannow to check system files
Tried Safe mode last known config
Tried restore
Turned off restore
Have not run a Windows repair as yet.

Still have the issue. Note: the desktop refreshes about every 15 seconds - not long enough for me to search and start any programs - so the only way I can do this is through the run command of the task manager.

looking for advice of direction.

Logfile of HijackThis v1.99.1
Scan saved at 1:28:19 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\imapi.exe
C:\Utilities\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## HOBOcs (Jan 5, 2004)

Just Ran Combofix ---- It appears to have fix the refresh issue.
But I assume I can use some additional coaching on what else to remove......

- See new log will post HJT as well

****
****
****

ComboFix 08-04-22.5 - Jesse 2008-04-23 15:12:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.258 [GMT -4:00]
Running from: C:\Utilities\Combofix\ComboFix.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM87c08d2d.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\iifeeFYR.dll
C:\WINDOWS\system32\RYFeefii.ini
C:\WINDOWS\system32\RYFeefii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 15:05 . 2008-04-23 15:09 d--------	C:\Documents and Settings\Jesse\.SunDownloadManager
2008-04-23 08:09 . 2006-08-21 05:14	128,896	---------	C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-23 08:09 . 2006-08-21 05:14	23,040	---------	C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-23 08:09 . 2006-08-21 08:21	16,896	---------	C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-23 07:32 . 2007-07-09 09:09	584,192	---------	C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-22 21:12 . 2007-01-23 15:29	546,304	---------	C:\WINDOWS\system32\dllcache\hhctrl.ocx
2008-04-22 21:12 . 2006-08-16 05:37	225,664	---------	C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-04-22 21:12 . 2006-08-16 07:58	100,352	---------	C:\WINDOWS\system32\dllcache\6to4svc.dll
2008-04-22 21:11 . 2006-06-22 06:47	181,248	---------	C:\WINDOWS\system32\dllcache\rasmans.dll
2008-04-22 21:09 . 2006-08-25 11:45	617,472	---------	C:\WINDOWS\system32\dllcache\comctl32.dll
2008-04-22 17:36 . 2004-08-04 00:56	2,897,920	--a------	C:\WINDOWS\system32\xpsp2res.dll
2008-04-22 17:36 . 2006-03-16 20:38	28,672	--a------	C:\WINDOWS\system32\verclsid.exe
2008-04-22 17:27 . 2008-04-22 17:27 d--------	C:\WINDOWS\system32\bits
2008-04-22 17:26 . 2008-04-23 08:22 d--h-----	C:\WINDOWS\$hf_mig$
2008-04-22 17:26 . 2005-06-28 10:21	22,752	--a------	C:\WINDOWS\system32\spupdsvc.exe
2008-04-22 17:01 . 2001-08-18 06:00	13,463,552	--a------	C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-04-22 16:15 . 2004-08-04 00:56	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-04-22 16:11 . 2004-08-03 23:08	40,832	---------	C:\WINDOWS\system32\drivers\irbus.sys
2008-04-22 16:09 . 2008-04-22 16:09 d--------	C:\WINDOWS\provisioning
2008-04-22 16:02 . 2008-04-22 16:02 d--------	C:\WINDOWS\ServicePackFiles
2008-04-22 15:49 . 2004-07-17 11:40	19,528	--a------	C:\WINDOWS\002675_.tmp
2008-04-22 15:41 . 2008-04-22 15:41 d--------	C:\WINDOWS\EHome
2008-04-15 21:06 . 2006-10-19 09:56	713,216	--a------	C:\WINDOWS\system32\sxs.dll
2008-04-15 21:06 . 2005-08-22 14:29	197,632	--a------	C:\WINDOWS\system32\netman.dll
2008-04-15 21:06 . 2004-08-04 00:56	87,552	--a------	C:\WINDOWS\system32\fldrclnr.dll
2008-04-15 21:06 . 2005-08-31 21:41	19,968	--a------	C:\WINDOWS\system32\linkinfo.dll
2008-04-15 21:04 . 2008-02-20 01:32	148,992	---------	C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-04-15 21:04 . 2006-03-01 15:42	91,136	--a------	C:\WINDOWS\system32\mtxoci.dll
2008-04-15 21:04 . 2006-03-01 15:42	66,560	--a------	C:\WINDOWS\system32\mtxclu.dll
2008-04-15 21:04 . 2006-06-26 13:37	8,192	---------	C:\WINDOWS\system32\dllcache\rasadhlp.dll
2008-04-15 19:37 . 2004-08-03 22:32	571,392	--a------	C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-04-15 19:36 . 2001-08-17 13:28	899,146	--a------	C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-04-15 19:35 . 2001-08-18 06:00	1,875,968	--a------	C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-04-15 19:34 . 2001-08-18 06:00	10,129,408	--a------	C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-04-15 19:33 . 2001-08-18 06:00	10,096,640	--a------	C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-15 19:32 . 2001-08-18 06:00	1,677,824	--a------	C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-04-15 19:31 . 2001-08-17 22:36	2,134,528	--a------	C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll
2008-04-15 19:30 . 2001-08-18 06:00	169,984	--a------	C:\WINDOWS\system32\dllcache\iisui.dll
2008-04-15 19:30 . 2001-08-18 06:00	94,720	--a------	C:\WINDOWS\system32\dllcache\certmap.ocx
2008-04-15 19:30 . 2001-08-17 14:56	66,048	--a------	C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-04-15 19:30 . 2001-08-18 06:00	19,968	--a------	C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-04-15 19:30 . 2001-08-18 06:00	14,336	--a------	C:\WINDOWS\system32\dllcache\iisreset.exe
2008-04-15 19:30 . 2001-08-18 06:00	7,680	--a------	C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-04-15 19:30 . 2001-08-18 06:00	6,144	--a------	C:\WINDOWS\system32\dllcache\ftpsapi2.dll
2008-04-15 19:30 . 2001-08-18 06:00	5,632	--a------	C:\WINDOWS\system32\dllcache\iisrstap.dll
2008-04-15 19:02 . 2004-08-04 00:56	438,784	--a------	C:\WINDOWS\system32\xpob2res.dll
2008-04-15 19:02 . 2004-08-04 00:56	351,232	--a------	C:\WINDOWS\system32\winhttp.dll
2008-04-15 19:02 . 2004-08-04 00:56	18,944	--a------	C:\WINDOWS\system32\qmgrprxy.dll
2008-04-15 19:02 . 2004-08-04 00:56	8,192	--a------	C:\WINDOWS\system32\bitsprx2.dll
2008-04-15 19:02 . 2004-08-04 00:56	7,168	--a------	C:\WINDOWS\system32\bitsprx3.dll
2008-04-15 16:06 . 2007-07-30 19:19	549,720	--a------	C:\WINDOWS\system32\wuapi.dll
2008-04-15 16:06 . 2007-07-30 19:19	325,976	--a------	C:\WINDOWS\system32\wucltui.dll
2008-04-15 16:06 . 2007-07-30 19:19	216,408	--a------	C:\WINDOWS\system32\wuaucpl.cpl
2008-04-15 16:06 . 2007-07-30 19:19	203,096	--a------	C:\WINDOWS\system32\wuweb.dll
2008-04-15 16:06 . 2004-08-03 14:03	186,136	--a------	C:\WINDOWS\system32\wuaueng1.dll
2008-04-15 16:06 . 2004-08-03 14:01	167,704	--a------	C:\WINDOWS\system32\wuauclt1.exe
2008-04-15 16:06 . 2007-07-30 19:18	33,624	--a------	C:\WINDOWS\system32\wups.dll
2008-04-15 16:03 . 2008-04-15 16:03 d--------	C:\Program Files\Belarc
2008-04-15 16:03 . 2005-04-07 17:18	3,840	--a------	C:\WINDOWS\system32\drivers\BANTExt.sys
2008-04-14 23:37 . 2008-04-14 23:37 d--------	C:\Program Files\IObit
2008-04-14 22:53 . 2008-04-23 02:03 dr-h-----	C:\$VAULT$.AVG
2008-04-14 22:47 . 2008-04-22 17:22 d--------	C:\Documents and Settings\Jesse\Application Data\AVG7
2008-04-14 22:44 . 2008-04-14 22:44 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-14 22:43 . 2008-04-14 22:43	499,712	--a------	C:\WINDOWS\system32\msvcp71.dll
2008-04-14 22:43 . 2008-04-14 22:43	348,160	--a------	C:\WINDOWS\system32\msvcr71.dll
2008-04-14 22:42 . 2008-04-23 08:58 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-04-14 22:41 . 2008-04-14 22:41 d--------	C:\Documents and Settings\Jesse\Application Data\Grisoft
2008-04-14 22:38 . 2007-05-30 08:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-14 22:37 . 2008-04-14 22:42 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-14 22:35 . 2008-04-14 22:35 d--------	C:\Program Files\CleanUp!
2008-04-14 22:32 . 2008-04-23 15:04 d--------	C:\Utilities
2008-04-14 22:26 . 2001-08-17 16:48	12,160	--a------	C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-14 22:26 . 2001-08-17 16:48	12,160	--a------	C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-14 22:24 . 2001-08-17 17:02	9,600	--a------	C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-14 22:24 . 2001-08-17 17:02	9,600	--a------	C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-31 07:36 . 2008-04-14 22:26	1,597,294	--ahs----	C:\WINDOWS\system32\rihycobv.ini
2008-03-30 19:27 . 2008-04-22 16:50	320	--ahs----	C:\WINDOWS\system32\AycIRqru.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 20:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\IBM
2008-04-22 20:55	---------	d--h--w	C:\Documents and Settings\Jesse\Application Data\yahoo!
2008-04-22 20:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-15 03:32	---------	d-----w	C:\Documents and Settings\Jesse\Application Data\LimeWire
2008-04-15 03:00	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-04-15 02:57	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-15 02:55	---------	d-----w	C:\Program Files\Symantec
2008-03-20 08:47	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-20 08:47	---------	d-----w	C:\Documents and Settings\Jesse\Application Data\InterTrust
2008-03-18 05:02	---------	d-----w	C:\Program Files\DivX
2008-03-12 08:35	---------	d-----w	C:\Program Files\Yahoo!
2008-03-12 06:42	---------	d-----w	C:\Program Files\LimeWire
2008-03-12 05:37	---------	d-----w	C:\Program Files\MSN Messenger
2008-03-12 01:36	---------	d-----w	C:\Documents and Settings\Jesse\Application Data\MSN6
2008-03-12 01:32	---------	d-----w	C:\Documents and Settings\Jesse\Application Data\IBM
2008-03-12 00:22	17,801	----a-w	C:\WINDOWS\system32\drivers\AegisP.sys
2008-03-12 00:22	---------	d-----w	C:\Program Files\Dynex Wireless G Enhanced Adapter
2008-03-12 00:21	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-01 10:34	---------	d-----w	C:\Documents and Settings\All Users\Application Data\MSN6
2008-02-26 19:52	---------	d-----w	C:\Documents and Settings\Jesse\Application Data\InterVideo
2008-02-25 11:32	---------	d-----w	C:\Program Files\InterActual
2008-02-24 23:06	47	----a-w	C:\WINDOWS\system32\drivers\IBM_2373_7JU.MRK
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 14:10 94208]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-03-12 07:10 49152]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-22 21:10 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-14 22:43 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqOHxuS]
ssqOHxuS.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2004-03-12 07:10]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2004-03-12 07:10]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Dynex DX-WGPNBC WLService;Dynex Wireless G Enhanced Adapter Service;C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe [2004-03-29 20:08]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\PCX504.sys [2003-02-14 21:16]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2004-03-12 07:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 22:55:36 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 15:22:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.exe
.
**************************************************************************
.
Completion time: 2008-04-23 15:28:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 19:28:38

Pre-Run: 27,915,505,664 bytes free
Post-Run: 27,827,056,640 bytes free

204	--- E O F ---	2008-04-23 12:23:37

****
****
****
HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:40:11 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Enhanced Adapter\WLanCfgG.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: ssqOHxuS - ssqOHxuS.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Dynex Wireless G Enhanced Adapter Service (Dynex DX-WGPNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Enhanced Adapter\WLService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Please download *Malwarebytes Anti-Malware* from *Here* or *Here*
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes Anti-Malware*, then click Finish. 
If an update is found, it will download and install the latest version. 
Once the program has loaded, select *Perform Quick Scan*, then click *Scan*. 
The scan may take some time to finish,so please be patient. 
When the scan is complete, click OK, then Show Results to view the results. 
Make sure that *everything is checked*, and click *Remove Selected*. 
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) 
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 
Copy&Paste the entire report in your next reply.

Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.*


----------



## HOBOcs (Jan 5, 2004)

Thanks for checking in on this one for me...

Log from malwarebytes

Malwarebytes' Anti-Malware 1.11
Database version: 676

Scan type: Quick Scan
Objects scanned: 33119
Time elapsed: 10 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## sjpritch25 (Sep 8, 2005)

no problem

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O20 - Winlogon Notify: ssqOHxuS - ssqOHxuS.dll (file missing)
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

========================================

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*

1. Read the Requirements and Privacy statement, then select "*Accept*". 2. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 3. Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 4. When the download is complete it will say ready, click "*Next*". 5. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 6. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 7. Click "*OK*". 8. Under "*Select a target to scan*", click on "*My Computer*". 9. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## HOBOcs (Jan 5, 2004)

Kas - log for your review.....



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 24, 2008 1:50:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/04/2008
Kaspersky Anti-Virus database records: 724614
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50002
Number of viruses found: 3
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:00:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\MSHist012008042420080425\index.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Jesse\My Documents\LimeWire\Saved\nasdear mama.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	skipped
C:\Documents and Settings\Jesse\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Jesse\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE	ZIP: infected - 3	skipped
C:\IBMWORK\3GHXQJA_\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMWORK\3GHXQJA_\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMWORK\3GHXQJA_\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE	Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333	skipped
C:\IBMWORK\3GHXQJA_\RRPC\superinstall.EXE	ZIP: infected - 3	skipped
C:\QooBox\Quarantine\catchme2008-04-23_151751.68.zip/iifeeFYR.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.qni	skipped
C:\QooBox\Quarantine\catchme2008-04-23_151751.68.zip	ZIP: infected - 1	skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP4\A0000159.dll	Object is locked	skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP7\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\DEFAULT	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SOFTWARE	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SYSTEM	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## sjpritch25 (Sep 8, 2005)

Please *DELETE* the following file(s) *IF STILL PRESENT*. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

*Files:*
C:\Documents and Settings\Jesse\My Documents\LimeWire\Saved\nasdear mama.mp3 *<-- this file*

How is everything running??


----------



## HOBOcs (Jan 5, 2004)

Deleted the file - re-ran the usual utilities - everything is fine.

FYI - Combofix appeared to get rid of the initial "desktop refresh" issue. But the other tools found alot more ... great stuff

Question: what's your feeling on this malwarebytes program - it's relatively new.

Marking Resolved.
Always appreciate the help :up:


----------



## sjpritch25 (Sep 8, 2005)

Its actually all i recommend. The developers involved in malwarebytes Anti-malware are involved in the online community and do great work. The lead Malware Researcher i know personally from Castlecops and another developer. They may be small, but they make it up for the great work they do. I have tested MBAM many times and it removes much more then most other Anti-Malware products including rootkits. There is a new version in the works that's going to make it even better.

You can uninstall ComboFix, by running this command *ComboFix /u* from *Run* command.

Your Welcome

cheers  :up:


----------

