# Explorer.exe crashes every half a minute



## qoolio (Mar 16, 2008)

I'm at wits end. I'm running Win XP SP2. I've cleaned spyware using spyware S&D and also Adaware 2007. Updated Windows XP. Cleaned the registry and checked it for errors using Tuneup utilities 2008. However once windows loads and starts. Explore keeps closing, every 30 seconds or so. Please help!

I've been reading a similar thread and decided to post a hijack this log file. So here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:51 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
E:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TuneUp Utilities 2008\SystemInformation.exe
E:\downloads\Firefox\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load= 
F3 - REG:win.ini: run= 
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [003aa0bc] rundll32.exe "C:\WINDOWS\system32\hekrdlye.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM03099320] Rundll32.exe "C:\WINDOWS\system32\rnpcbttn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1205321471984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D3A4B9-5BDC-462B-B998-CD5E15BB5BE6}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7696 bytes


----------



## devil_himself (Apr 7, 2007)

Greetings qoolio , Welcome To TSG 

Click Start, click Run, type eventvwr.msc in the Open box, and then press Enter.
Click the Application category.

Look For Recent Errors > Double Click on them > Another Windows Will open > On the Right Side use the Double Notepad icon to copy the error paste them here


----------



## qoolio (Mar 16, 2008)

Greetings Devil and thanks for the reply.

I've managed to open the Event Viewer. There are severals warnings. Here it is:

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	63
Date: 3/11/2008
Time: 4:02:49 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	63
Date: 3/11/2008
Time: 4:02:51 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	63
Date: 3/11/2008
Time: 4:02:51 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	5603
Date: 3/11/2008
Time: 4:05:37 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	5603
Date: 3/11/2008
Time: 4:05:37 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	WinMgmt
Event Category:	None
Event ID:	63
Date: 3/11/2008
Time: 5:57:40 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 3/13/2008
Time: 1:15:11 AM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
Windows saved user USER-89F310F58A\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 3/13/2008
Time: 2:32:35 PM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
Windows saved user USER-89F310F58A\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:35 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:39 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:41 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

I've had similar problem on my other machine.


----------



## devil_himself (Apr 7, 2007)

Download And Install "User Profile Hive Cleanup Service "
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

Right Click On "My Computer" > Properties > Advanced > Under Performance Click Settings > Data Execution Prevention Tab > Check "Turn on DEP for essential Windows programs and services only"


----------



## qoolio (Mar 16, 2008)

Ok, done that and rebooted but it still happens.


----------



## devil_himself (Apr 7, 2007)

Does It Happens Randomly OR When You Are Doing Something Specific ?


----------



## qoolio (Mar 16, 2008)

It happens every time I load up windows. I left the machine on for several hours and it does the same thing. I.e. taskbar appears then dissapears then reappears. I have to hit ctrl + alt + del and run programs via the Windows Task Manage because the taskbar keeps dissappearing. The cycle goes on and on. It's because explorer.exe crashes and then gets loaded again then closes then started again.


----------



## stressfreesoul (Mar 13, 2008)

but on mine it happens randomly, sometimes it loads itself back up sometimes not. If I find out any info I'll post it here, Im gonna keep reading here too cos as you know its an annoying problem...lol


----------



## qoolio (Mar 16, 2008)

When it happens on two machines (my office desktop) and the one at home it's becoming a pain up my behind! In my case it always loads itself back up.


----------



## devil_himself (Apr 7, 2007)

Uninstall "Lavasoft aware2007.exe"

Let Me Know The Result


----------



## qoolio (Mar 16, 2008)

I've uninstalled it on my office PC and it certainly did the trick. It's alot more stable now. No crashes so far.

I'll have to run the same technique to my home PC! Thanks alot! I'll let you know should anything else come up.


----------



## qoolio (Mar 16, 2008)

Unfortunately that didn't do it for my home PC. It is still doing it.


----------



## devil_himself (Apr 7, 2007)

The Errors You Posted In Post #3 Are From Which Computer .... Home Or Office ?


----------



## qoolio (Mar 16, 2008)

from home


----------



## devil_himself (Apr 7, 2007)

Check Out

Troubleshooting Windows Explorer Errors
http://www.helpwithwindows.com/techfiles/explorer-crashes.html


----------



## qoolio (Mar 16, 2008)

Well, I've tried disabling and enabling stuff like the link says using ShellExView and explorer still crashes...

I'll check for spyware using Spybot S&D for now

I'll also install and run windows defender to see if anything turns up


----------



## Jeruvy (Sep 20, 2007)

Try this:

Download 'ShellExView'. here:

http://www.snapfiles.com/get/shellexview.html

Start it up (the download is just an exe and a help file), then it will take a bit of time loading all the shell extensions in explorer.

Sort by company name.

DISABLE all NON-Microsoft extensions. Since the sort is alphabetical you'll need to look at the top and bottom of the list.

Do the explorer crashes stop or reduce in frequency? If so then it's very likely one (or more) of those extensions is causing the problem. You'll need to ENABLE them one by one until you find the likely culprit.

It's possible it's due to buggy software; software thats been removed but left the shell extensions behind (Adobe comes to mind here...) due to poor uninstallers; or just evil malware.

If explorer is creating BSOD's or generating error reports, you could save one and post it here for analysis.

Good luck!


----------



## qoolio (Mar 16, 2008)

How do u sort by company name in ShellEXView?? Erm Ignore this, I've figured it out.


----------



## qoolio (Mar 16, 2008)

Ok, so I've disabled all non-microsoft extensions, however there is one extension in particular that I can't seem to disable no matter how many times I try to disable it. Here it is:

Adobe PDF Reader Link Helper	No	Browser Helper Object	Adobe PDF Helper for Internet Explorer	8.0.0.2006102200	AcroIEHelper Library	Adobe Systems Incorporated	No	No	No	C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll	{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	10/22/2006 11:08:42 PM	2/18/2008 2:51:19 PM	No A	62,080	

Does it mean I have to uninstall Adobe? or just delete that file?

BTW explorer is still crashing after I've disabled all non microsoft extensions.


----------



## devil_himself (Apr 7, 2007)

See if This Apply 
http://forums.techguy.org/windows-nt-2000-xp/691453-solved-win-explorer-error-when.html


----------



## Jeruvy (Sep 20, 2007)

qoolio said:


> Does it mean I have to uninstall Adobe? or just delete that file?
> 
> BTW explorer is still crashing after I've disabled all non microsoft extensions.


I would uninstall Adobe. If the uninstaller doesn't clean this up then you'll need to get something to remove it afterwards.

You can always reinstall it later.

Also is there anything in the Event Viewer indicating why explorer is crashing?


----------



## tex0gen (Jun 10, 2007)

Why not just format C://
and then re-add all the programs you had 1 by 1 till you get the source lmao.


----------



## qoolio (Mar 16, 2008)

@tex0gen The hard drive was recently formatted to accommodate hardware upgrade i.e. motherboard, ram and 160 GB hard drive.


----------



## qoolio (Mar 16, 2008)

@devil remember I said my office puter is having similar symptoms like my home pc but my office puter was cured after I uninstalled aadware.exe from it? Well, i rebooted my office pc this morning and it's happening all over again. I tried ur suggestion as in post #20 and it's still fidgety. (I've yet to try this at my home PC). BTW my office puter has the following reoccuring error:

Event Type:	Error
Event Source:	nview_info
Event Category:	None
Event ID:	1
Date: 1/21/2008
Time: 10:39:10 AM
User: N/A
Computer:	ASROCK
Description:
The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NVIEW : iexplore: Shared heap exhausted or damaged, process ID cb4, total alloc:3f350...
.

Could this be the source of it all?

@Jeruvy Done that and i'm no farther then when and I started this thread


----------



## devil_himself (Apr 7, 2007)

nview_info --> nView Desktop Manager

Are You Running "Dual Monitors" ?

If Not Then "Disable nView Desktop Manager" Thru

Start --> Control panel --> Nview desktop manager > ?


----------



## qoolio (Mar 16, 2008)

I've opened the event viewer and the errors reported has been greatly reduced as per thread #3 for my home puter. Here they are:

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 3/13/2008
Time: 1:15:11 AM
User: NT AUTHORITY\SYSTEM
Computer:	USER-89F310F58A
Description:
Windows saved user USER-89F310F58A\User registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Winlogon
Event Category:	None
Event ID:	1015
Date: 3/16/2008
Time: 10:11:25 AM
User: N/A
Computer:	USER-89F310F58A
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine must now be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/16/2008
Time: 8:52:52 AM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application avgas.exe, version 7.5.1.43, faulting module kernel32.dll, version 5.1.2600.3119, fault address 0x00012a5b.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 76 67 ure avg
0018: 61 73 2e 65 78 65 20 37 as.exe 7
0020: 2e 35 2e 31 2e 34 33 20 .5.1.43 
0028: 69 6e 20 6b 65 72 6e 65 in kerne
0030: 6c 33 32 2e 64 6c 6c 20 l32.dll 
0038: 35 2e 31 2e 32 36 30 30 5.1.2600
0040: 2e 33 31 31 39 20 61 74 .3119 at
0048: 20 6f 66 66 73 65 74 20 offset 
0050: 30 30 30 31 32 61 35 62 00012a5b
0058: 0d 0a ..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:41 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:39 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/14/2008
Time: 8:52:35 PM
User: N/A
Computer:	USER-89F310F58A
Description:
Faulting application ad-aware2007.exe, version 7.0.2.1, faulting module ad-aware2007.exe, version 7.0.2.1, fault address 0x00094c9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 61 64 2d ure ad-
0018: 61 77 61 72 65 32 30 30 aware200
0020: 37 2e 65 78 65 20 37 2e 7.exe 7.
0028: 30 2e 32 2e 31 20 69 6e 0.2.1 in
0030: 20 61 64 2d 61 77 61 72 ad-awar
0038: 65 32 30 30 37 2e 65 78 e2007.ex
0040: 65 20 37 2e 30 2e 32 2e e 7.0.2.
0048: 31 20 61 74 20 6f 66 66 1 at off
0050: 73 65 74 20 30 30 30 39 set 0009
0058: 34 63 39 61 0d 0a 4c9a..

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1002
Date: 3/19/2008
Time: 2:15:46 PM
User: N/A
Computer:	USER-89F310F58A
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'll update you on post #25. I'm using my home puter at the moment.


----------



## devil_himself (Apr 7, 2007)

Download And Install This

User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en


----------



## qoolio (Mar 16, 2008)

Yes done that as per post #5.


----------



## qoolio (Mar 16, 2008)

I was on the verge of reformatting and reinstalling windows. I did an exhaustive Google search to the problem I was having and found an interesting solution to my problem.

Check it out here:

http://www.pcreview.co.uk/forums/thread-336217.php

Believe it or not, my pc was instantaneously cured!!!

Sad things was it was not really a spyware or virus although I did find several spywares and viruses but the problem was still pertinent.

Appreciate all of your comments/feedback.

Hopefully somebody with my problems will not have to resort to the trouble of reformatting or sledgehammering their pc.


----------



## tex0gen (Jun 10, 2007)

Congratualtions. =] and google IS your friend.


----------



## devil_himself (Apr 7, 2007)

qoolio . Glad Your Problem Is Fixed

Thanks For The Solution 

You Can Use The "Thread Tools" At The Top To Mark The "Thread" As "Solved"


----------



## qoolio (Mar 16, 2008)

@Tex0gen thanks, I love Google!

@Devil Thanks for all your assistance. Glad I could return the favor


----------



## Jeruvy (Sep 20, 2007)

> @Jeruvy Done that and i'm no farther then when and I started this thread


Hmm, it would seem you followed my advice and you're fixed  Sorry I wasn't around to help you through, but you got there and that's what counts. The event viewer is a important source of information regarding problems.

Good stuff. Go ahead and mark this thread as 'solved'.


----------



## qoolio (Mar 16, 2008)

I sure picked up a thing or two ever since I started this thread. You guys are a dedicated lot that's for sure. To think that I would've taken it to the store to get it "fixed" when all i needed was a little bit of persistence and excellent support  Thanks again!


----------



## Cookiegal (Aug 27, 2003)

This would not eliminate the malware that was showing in your HijackThis log. Please post a new one and we'll take it from there.


----------



## qoolio (Mar 16, 2008)

Cookiegal> you mean a new hijackthis log?


----------



## Cookiegal (Aug 27, 2003)

Yes, a new HijackThis log.


----------



## qoolio (Mar 16, 2008)

Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:13 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitTorrent\bittorrent.exe
E:\downloads\Firefox\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load= 
F3 - REG:win.ini: run= 
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1205321471984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D3A4B9-5BDC-462B-B998-CD5E15BB5BE6}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8052 bytes


----------



## qoolio (Mar 16, 2008)

The solution to post #29 was short lived. I've since rebooted and I was back where I started. I ran spyware terminator and remove some affiliate cookies and explorer has stabilized. However I feel there is still some evil malware/spyware lurking around. Here's a scan report from spyware terminator:

Logfile of Spyware Terminator v2.1.1.314 (db:1.0.155.920)
Scan Time: 3/21/2008 11:53:08 PM length: 853 s
Platform: WXP (5.1.0.2600)
User: Admin
Boot Mode: Normal
Scan type: Full_Spyware_Scan
Scanned Objects: 49141 (Critical:0)
Filter: No System items, No Safe items, No Invalid items

Running Processes
: 
: 
BOCORE.exe [COMODO] : C:\Program Files\Comodo\CBOClean\BOCORE.exe
cmdagent.exe [COMODO] : C:\Program Files\COMODO\Firewall\cmdagent.exe
nvsvc32.exe [NVIDIA Corporation] : C:\WINDOWS\system32\nvsvc32.exe
RichVideo.exe : C:\Program Files\CyberLink\Shared files\RichVideo.exe
uphclean.exe [Microsoft Corporation] : C:\Program Files\UPHClean\uphclean.exe
uphclean.exe [Microsoft Corporation] : C:\Program Files\UPHClean\uphclean.exe
uphclean.exe [Microsoft Corporation] : C:\Program Files\UPHClean\uphclean.exe

Internet Settings
R - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar = http://www.google.com/ie
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R - HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain = 
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

StartUps
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SpybotSD TeaTimer : [Safer Networking Limited] : C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SkyTel : [Realtek Semiconductor Corp.] : C:\WINDOWS\SkyTel.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, LanguageShortcut : : C:\Program Files\CYBERLINK\POWERDVD\LANGUAGE\LANGUAGE.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NeroFilterCheck : [Nero AG] : C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, COMODO Firewall Pro : [COMODO] : C:\Program Files\COMODO\FIREWALL\CFP.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, BOC-425 : [COMODO] : C:\Program Files\COMODO\CBOClean\BOC425.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SunJavaUpdateSched : [Sun Microsystems, Inc.] : C:\Program Files\JAVA\JRE1.6.0_05\BIN\JUSCHED.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PCSuiteTrayApplication : [Nokia] : C:\Program Files\NOKIA\NOKIA PC SUITE 6\LAUNCHAPPLICATION.EXE
04 - Startup: %START_PROGRAMS%\Startup\OpenOffice.org 2.3.lnk : C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe

Shell Extensions
Nokia Phone Browser - {416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} - [Nokia] : C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

Services
23 - [Nokia] : C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
23 - [Nokia] : C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
23 - [Nokia] : C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
23 - [Nokia] : C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
23 - : C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
23 - [COMODO] : C:\Program Files\Comodo\CBOClean\BOCORE.exe
23 - [COMODO] : C:\Program Files\COMODO\Firewall\cmdagent.exe
23 - [COMODO] : C:\WINDOWS\system32\DRIVERS\cmdguard.sys
23 - [COMODO] : C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
23 - [COMODO] : C:\WINDOWS\system32\DRIVERS\inspect.sys
23 - [Realtek Semiconductor Corp.] : C:\WINDOWS\system32\drivers\RtkHDAud.sys
23 - [NVIDIA Corporation] : C:\WINDOWS\system32\DRIVERS\nvata.sys
23 - [NVIDIA Corporation] : C:\WINDOWS\system32\nvsvc32.exe
23 - : C:\Program Files\CyberLink\Shared files\RichVideo.exe
23 - [Realtek Semiconductor Corporation ] : C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
23 - [Microsoft Corporation] : C:\Program Files\UPHClean\uphclean.exe

Advanced Files Report
%SYSDIR%\mljgf.dll [] MD5=1EA92B36F7517F14F277026A51F3A621 SIZE=290816
%SYSDIR%\uxtuneup.dll [TuneUp Software GmbH] [TuneUp Utilities] MD5=411D534C568DE0B9D38DBC892D027897 SIZE=28416
%PROGRAMFILES%\Comodo\CBOClean\BOCORE.exe [COMODO] [COMODO BOClean - Anti-Malware] MD5=3E07CB7DF97792E3CBF5D685F78A45B6 SIZE=73472
%PROGRAMFILES%\COMODO\Firewall\cmdagent.exe [COMODO] [Comodo Firewall] MD5=07694C7918F9018160A2592657DF17C9 SIZE=507648
%SYSDIR%\nvsvc32.exe [NVIDIA Corporation] [NVIDIA Driver Helper Service, Version 91.48] MD5=986D6666E076AFD2B60ACAFD5B01A00F SIZE=155715
%SYSDIR%\nvapi.dll [NVIDIA Corporation] [NVIDIA Windows drivers] MD5=8BD6B5CB286EC8829356F5F9E4AEDBAE SIZE=196608
%PROGRAMFILES%\CyberLink\Shared files\RichVideo.exe [] [RichVideo Module] MD5=BD517C7FB119997EFFBE39D5E4B37B05 SIZE=167936
%PROGRAMFILES%\UPHClean\uphclean.exe [Microsoft Corporation] [User Profile Hive Cleanup Service] MD5=3F9A3232E5F942874488981F3242C989 SIZE=241725
%PROGRAMFILES%\Crawler\Toolbar\firefox\components\xshared.dll [Crawler.com] [Crawler Toolbar] MD5=B8E1507C79B77D786414CD308CE4E460 SIZE=233984
%PROGRAMFILES%\Crawler\Toolbar\firefox\components\xwsg.dll [Crawler.com] [Crawler Toolbar] MD5=303A4A821DF06ED4494400B60CC14C4A SIZE=2176000
%PROGRAMFILES%\Crawler\Toolbar\firefox\components\xsupport.dll [] MD5=9F07A9E123D8A46B3D59562B52A13C3B SIZE=49152
%PROGRAMFILES%\Mozilla Firefox\plugins\NPSWF32.dll [Adobe Systems, Inc.] [Shockwave Flash] MD5=40D0B608BBF9A19F681CCF976D4CA5B9 SIZE=2884992
%PROGRAMFILES%\Mozilla Firefox\plugins\np32dsw.dll [Adobe Systems, Inc.] [Shockwave for Director] MD5=6B5CE96B5255A759B17FB053D51D48B9 SIZE=49152
%SYSDIR%\Macromed\Shockwave 10\Plugin.dll [Adobe Systems, Inc.] [Shockwave for Director] MD5=40F4E19A7BC57D159BFD1325D9C4C52B SIZE=339968
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\DirectSound\DirectSound.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=1F8AE73518B6E213C099DA636C0724B7 SIZE=32768
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FlashAsset\Flash Asset.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=22DB2890F9E32EC3420C93EAA46ACF21 SIZE=1597440
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontAsset\Font Asset.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=673D3B90D6E8C102844AC4C71A9AAE8A SIZE=65536
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontXtra\Font Xtra.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=E32E4D47E12C263F952092C4D2FF7FCE SIZE=278528
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Havok\Havok.x32 [Havok.com Inc] [HavokXtra] MD5=24FE4E6DE9EAC3A447B452FA4E116A1B SIZE=573440
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\MacroMix\MacroMix.x32 [Adobe Systems, Inc.] [Macromedia Sound Mixer] MD5=F65F5D609AAF3BF00A4BA23BFEF148CF SIZE=53248
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\MixServices\Mix Services.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=0E6BEC1435A6E1D8B61D3D66B7CBD5A0 SIZE=94208
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Shockwave3dAsset\Shockwave 3d Asset.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=2A900B6EC30C6546A9E6DEED41E2293D SIZE=1544192
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SoundControl\Sound Control.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=1F7BC198D66F4490085C8A0A387A5B90 SIZE=49152
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SWA\swadcmpr.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=D3B69B0BF2AE8472A6036081FCB33605 SIZE=69632
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SWA\SWASTRM.X32 [Adobe Systems, Inc.] [Director MX 2004] MD5=6EDD7AA0DCC7ED1128D80EC7D8B35A28 SIZE=57344
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextAsset\Text Asset.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=600CBAC0B95C90D165601B3840C2EB2E SIZE=90112
%USERPROFILE%\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextXtra\TextXtra.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=A9ED8C434F2EE2BBD25D96182CA71B93 SIZE=339968
%SYSDIR%\Macromed\Shockwave 10\Xtras\CBrowser.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=12B2D7CFF8142BE957B0FA7DBBC6FE6A SIZE=28672
%SYSDIR%\Macromed\Shockwave 10\Xtras\INetURL.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=444E67A1F9164D136D7531924E319CA6 SIZE=40960
%SYSDIR%\Macromed\Shockwave 10\Xtras\Multiusr.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=20D034943D224058C64D4585777C465B SIZE=180224
%SYSDIR%\Macromed\Shockwave 10\Xtras\Netfile.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=D2C6E5452EA768402E89B34E92B339A6 SIZE=53248
%SYSDIR%\Macromed\Shockwave 10\Xtras\Netlingo.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=C65EBC92D7471A3EAE66DCF21331EBDA SIZE=49152
%SYSDIR%\Macromed\Shockwave 10\Xtras\Speech.x32 [Adobe Systems, Inc.] [Director MX 2004] MD5=1FE6CE817B45F4C41F7C5D8ED939D3C5 SIZE=53248
%COMMONFILES%\Ahead\Lib\NeroSearchBar.dll [Nero AG] [Nero File Dialog] MD5=6C3DA5BF1CE09F011C9CBC12D42A42AB SIZE=602112
%COMMONFILES%\Ahead\Lib\NeroSearchTrayHook.dll [Nero AG] [Nero File Dialog] MD5=DC83D5406DC3474B31844BB9D82F6D6D SIZE=50176
%COMMONFILES%\Ahead\Lib\BCGCBPRO800u.dll [BCGSoft Ltd] [BCGControlBar Professional Dynamic Link Library] MD5=431909CE459EF8D5EA84776B61812F6D SIZE=2605056
%PROGRAMFILES%\Nokia\Nokia PC Suite 6\PhoneBrowser.dll [Nokia] [Phone Browser] MD5=600D719D720715B28C3234C624E95BAB SIZE=562688
%PROGRAMFILES%\Nokia\Nokia PC Suite 6\PCSCM.dll [Nokia] [PC Suite Common Modules] MD5=0E51263EA765F9AB45AA8F04CADB22B9 SIZE=659456
%PROGRAMFILES%\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr [Nokia] [Nokia Phone Browser] MD5=EDE2D48BAED2FF4F5A80B55B8AF76EA3 SIZE=27648
%PROGRAMFILES%\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr [Nokia] [Nokia Phone Browser] MD5=B058E4E76A4524DC13FC44B7829FEE5F SIZE=543744
%PROGRAMFILES%\OpenOffice.org 2.3\program\quickstart.exe [] MD5=01F7BA16BC60D65149FA36F355319171 SIZE=393216
wvusqpo.dll []
%SYSDIR%\svchost.exe -k netsvcs []
%PROGRAMFILES%\Comodo\CBOClean\BOCDRIVE.sys [] MD5=88905C1604FADED38EDE4A04B74DFCA7 SIZE=15376
%SYSDIR%\DRIVERS\cmdguard.sys [COMODO] [COMODO Firewall Pro Sandbox Driver] MD5=698B0E1A332F3109B7E2D39DA406A61D SIZE=85112
%SYSDIR%\DRIVERS\cmdhlp.sys [COMODO] [COMODO Firewall Pro Helper Driver] MD5=426220CCD57BDD5E1CD3913B6F1F5858 SIZE=23800
%SYSDIR%\svchost -k DcomLaunch []
%SYSDIR%\svchost.exe -k NetworkService []
%SYSDIR%\DRIVERS\inspect.sys [COMODO] [COMODO Firewall Pro Firewall Driver] MD5=D9509C39843BF504E3E213F6553620B2 SIZE=78840
%SYSDIR%\drivers\RtkHDAud.sys [Realtek Semiconductor Corp.] [Realtek(r) High Definition Audio Function Driver (HRTF data Copyright 1994 by MIT Media Lab)] MD5=A5D5B8C427F4B67580FB2B511291A89D SIZE=4381184
%SYSDIR%\svchost.exe -k LocalService []
%SYSDIR%\DRIVERS\nvata.sys [NVIDIA Corporation] [NVIDIA nForce(TM) IDE Driver] MD5=947C4A0E7B25BCECC3B40F0F1070378B SIZE=105344
%SYSDIR%\svchost -k rpcss []
%SYSDIR%\DRIVERS\Rtnicxp.sys [Realtek Semiconductor Corporation ] [Realtek 10/100/1000 NIC Family all in one NDIS Driver ] MD5=911E07056B865760C0762F6221145999 SIZE=83968
%SYSDIR%\svchost.exe -k imgsvc []
%SYSDIR%\svchost.exe -k WudfServiceGroup []
%PROGRAMFILES%\Alwil Software\Avast4\AavmGuih.dll [] MD5=19B81FC3E21563E706C6F054A824E63C SIZE=188416
%PROGRAMFILES%\Alwil Software\Avast4\AavmRpch.dll [] MD5=4CE74A7C8C44E6466E61456BB2398F1F SIZE=20480
%PROGRAMFILES%\Alwil Software\Avast4\AhAScr.dll [] SIZE=99704
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiJs.dll [] MD5=533B77EBB83C3304106C255374CE5066 SIZE=32768
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiMai.dll [] MD5=D163D663F93414A8329FAB918BCA2AA3 SIZE=65536
%PROGRAMFILES%\Alwil Software\Avast4\ahRuiMes.dll [] MD5=5FD0D1149FB1F35948B9B2E788CC6F53 SIZE=36864
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiNS.dll [] MD5=536E762D617E70165762169F44021ADC SIZE=36864
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiOut.dll [] MD5=7C539B224DBFED6804175801D3238378 SIZE=90112
%PROGRAMFILES%\Alwil Software\Avast4\ahRuiP2P.dll [] MD5=856317CC3192FB2DC093CA7C9F998A0C SIZE=22016
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiStd.dll [] MD5=490BB8549E4EA25360EA6B63491EE9FA SIZE=57344
%PROGRAMFILES%\Alwil Software\Avast4\AhRuiWS.dll [] MD5=2F14C408245F1CDA547BB09AEB5E9196 SIZE=49152
%PROGRAMFILES%\Alwil Software\Avast4\ashAvast.exe [] SIZE=271736
%PROGRAMFILES%\Alwil Software\Avast4\ashBug.exe [] SIZE=128376
%PROGRAMFILES%\Alwil Software\Avast4\ashCfgP.dll [] MD5=3196C9B48D809A2A8450DBE1B6502220 SIZE=98304
%PROGRAMFILES%\Alwil Software\Avast4\ashCfgT.dll [] MD5=FCA01B541054E52D55FDFA2245710955 SIZE=131072
%PROGRAMFILES%\Alwil Software\Avast4\ashChest.dll [] MD5=A63CA5F25E4692F4B90C24915491E72E SIZE=151552
%PROGRAMFILES%\Alwil Software\Avast4\ashChest.exe [] SIZE=66936
%PROGRAMFILES%\Alwil Software\Avast4\ashCmd.exe [] SIZE=87416
%PROGRAMFILES%\Alwil Software\Avast4\ashEnhcd.exe [] SIZE=226680
%PROGRAMFILES%\Alwil Software\Avast4\ashLogV.exe [] SIZE=49016
%PROGRAMFILES%\Alwil Software\Avast4\ashOutXt.dll [] SIZE=202104
%PROGRAMFILES%\Alwil Software\Avast4\ashPopWz.exe [] SIZE=206200
%PROGRAMFILES%\Alwil Software\Avast4\ashQuick.exe [] SIZE=279928
%PROGRAMFILES%\Alwil Software\Avast4\ashShA64.dll [] SIZE=76368
%PROGRAMFILES%\Alwil Software\Avast4\ashShell.dll [] SIZE=75128
%PROGRAMFILES%\Alwil Software\Avast4\ashSimp2.exe [] SIZE=128376
%PROGRAMFILES%\Alwil Software\Avast4\ashSimpl.exe [] SIZE=157048
%PROGRAMFILES%\Alwil Software\Avast4\ashSkPcc.exe [] MD5=7133691DA3F2886CF1EA46D2345F069C SIZE=18432
%PROGRAMFILES%\Alwil Software\Avast4\ashSkPck.exe [] MD5=CD2801A37E7886C43A20F765355A8976 SIZE=61440
%PROGRAMFILES%\Alwil Software\Avast4\ashSODBC.dll [] MD5=3ED2AD766FDDC3311F33D0DCDB585151 SIZE=53248
%PROGRAMFILES%\Alwil Software\Avast4\ashSXML.dll [] MD5=91ED081EBE8DCA603B1901025ED37B51 SIZE=48128
%PROGRAMFILES%\Alwil Software\Avast4\ashUpd.exe [] SIZE=66936
%PROGRAMFILES%\Alwil Software\Avast4\aswMonDS.sys [] MD5=5D21DAB328BD38D368FF00B996619B0D SIZE=706
%PROGRAMFILES%\Alwil Software\Avast4\aswMonVD.dll [] SIZE=3452
%PROGRAMFILES%\Alwil Software\Avast4\aswRegSvr.exe [] MD5=3E0589CE378E6146CCBF2E3B1AD0027A SIZE=22016
%PROGRAMFILES%\Alwil Software\Avast4\aswRes.dll [] MD5=56D50A22A3C3EBDC3E384B21D642F443 SIZE=143360
%PROGRAMFILES%\Alwil Software\Avast4\AVASTSS.scr [] SIZE=95608
%PROGRAMFILES%\Alwil Software\Avast4\avCommEx.dll [] MD5=C6E473D077E86B533B7B4786C6C404FA SIZE=106496
%PROGRAMFILES%\Alwil Software\Avast4\AVSSHOOK.dll [] MD5=E470B8C3544A3B130D1656B31BF9A077 SIZE=6656
%PROGRAMFILES%\Alwil Software\Avast4\copyx64.exe [] MD5=29FAF13A342E91288C01BB4EEFC4C023 SIZE=2560
%PROGRAMFILES%\Alwil Software\Avast4\DefTasks.xml [] SIZE=21121
%PROGRAMFILES%\Alwil Software\Avast4\sched.exe [] SIZE=66936
%PROGRAMFILES%\Alwil Software\Avast4\VisthAux.exe [] SIZE=66936
%PROGRAMFILES%\Alwil Software\Avast4\VisthLic.exe [] SIZE=51576
%PROGRAMFILES%\Alwil Software\Avast4\VisthUpd.exe [] SIZE=51576
%PROGRAMFILES%\Alwil Software\Avast4\wdp-ash-updscript.vbs [] MD5=F9FC886A1AD988706A5491CF5B17CF6C SIZE=1159
%PROGRAMFILES%\Alwil Software\Avast4\DATA\400.vps [] SIZE=12736641
%PROGRAMFILES%\Alwil Software\Avast4\DATA\aswar0.dll [] SIZE=169336
%PROGRAMFILES%\Alwil Software\Avast4\DATA\aswResp.dat []
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Avast4.db [] MD5=DA2AAD7154BB21A4824047E2A1B4D454 SIZE=51200
%PROGRAMFILES%\Alwil Software\Avast4\DATA\avast4.ini [] SIZE=9746
%PROGRAMFILES%\Alwil Software\Avast4\DATA\clnr0.dll [] SIZE=391216
%PROGRAMFILES%\Alwil Software\Avast4\DATA\dllcc0.dat [] SIZE=219192
%PROGRAMFILES%\Alwil Software\Avast4\DATA\exts0.dll [] SIZE=9080
%PROGRAMFILES%\Alwil Software\Avast4\DATA\iNews.htm [] SIZE=70766
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000001 [] SIZE=983560
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000002 [] SIZE=2872
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000003 [] SIZE=22536
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000004 [] SIZE=984584
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000005 [] SIZE=57352
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000006 [] MD5=E65AAF7B552D9F9BAC7A9597C02D1D6C SIZE=45064
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000007 [] SIZE=40968
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000008 [] SIZE=57352
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\00000009 [] MD5=E65AAF7B552D9F9BAC7A9597C02D1D6C SIZE=45064
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\0000000A [] SIZE=40968
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\0000000B [] SIZE=57352
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\0000000C [] MD5=E65AAF7B552D9F9BAC7A9597C02D1D6C SIZE=45064
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\0000000D [] SIZE=40968
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\0000000E [] SIZE=811016
%PROGRAMFILES%\Alwil Software\Avast4\DATA\chest\index.xml [] SIZE=5255
%PROGRAMFILES%\Alwil Software\Avast4\DATA\integ\avast.int [] SIZE=6563224
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\AshWebSv.ws []
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\AshWebSv.ws.ori [] SIZE=955
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\aswBoot.log [] SIZE=1659
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\aswMaiSv.log [] SIZE=1073
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\aswMaiSv.ori [] SIZE=1112
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\Error.log [] SIZE=399
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\Notice.log [] SIZE=1313
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\nshield.log []
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\Setup.log [] SIZE=646756
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\unp110354434.tmp.mdmp []
%PROGRAMFILES%\Alwil Software\Avast4\DATA\log\Warning.log [] SIZE=2211
%PROGRAMFILES%\Alwil Software\Avast4\DATA\report\aswBoot.txt [] SIZE=125
%PROGRAMFILES%\Alwil Software\Avast4\DATA\report\avast.xsl [] SIZE=9773
%PROGRAMFILES%\Alwil Software\Avast4\DATA\report\background.gif [] SIZE=94
%PROGRAMFILES%\Alwil Software\Avast4\DATA\report\logo.gif [] SIZE=5330
%PROGRAMFILES%\Alwil Software\Avast4\DATA\report\Resident protection.txt [] SIZE=16113
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\low res.asws [] SIZE=660838
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\silver panel.asws [] SIZE=1199983
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\SZC-KDE.asws [] SIZE=2219511
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\__snake.aswf [] SIZE=8096
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\__strike.aswf [] SIZE=6832
%PROGRAMFILES%\Alwil Software\Avast4\DATA\Skin\__vizer.aswf [] SIZE=6816
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\aswClnTg.htm [] SIZE=397
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\aswClnTg.txt [] SIZE=214
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\aswInfTg.htm [] MD5=4C7B87CFCFE288E525DA8220E7E55679 SIZE=627
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\aswInfTg.txt [] SIZE=444
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\Boot.dll [] MD5=302F80FB6AB9B29F578F0DA8913DB7D2 SIZE=15360
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\ENHANCED.HTM [] SIZE=6409
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\hover.wav [] SIZE=1184
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\License.txt [] SIZE=6181
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\malfound.wav [] SIZE=84130
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\press.wav [] SIZE=2426
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\Readme.txt [] SIZE=1720
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\ready.wav [] SIZE=10970
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\suspic.wav [] SIZE=136480
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\virfound.gif [] SIZE=22302
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\virfound.wav [] SIZE=214370
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\vpsupd.wav [] SIZE=95496
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HELP\CheckListSimple.chm [] SIZE=13392
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HELP\help.chm [] SIZE=176399
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\11001.htm [] SIZE=1747
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\400.htm [] MD5=69AFF4A6443BEB76C10FD13F3C84E2C3 SIZE=1540
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\401.htm [] SIZE=1694
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\407.htm [] SIZE=1673
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\502.htm [] SIZE=1856
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\504.htm [] MD5=39904C9A86B33422B341AC08CD320ADC SIZE=1778
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\Blocked.htm [] SIZE=2112
%PROGRAMFILES%\Alwil Software\Avast4\ENGLISH\HtmlData\image001.gif [] SIZE=2817
%PROGRAMFILES%\Alwil Software\Avast4\images\background.bmp [] SIZE=182
%PROGRAMFILES%\Alwil Software\Avast4\images\chest.gif [] SIZE=2882
%PROGRAMFILES%\Alwil Software\Avast4\images\lense.gif [] SIZE=2910
%PROGRAMFILES%\Alwil Software\Avast4\images\logo.gif [] MD5=4E40B14F68348A0F8E5E411819037401 SIZE=627
%PROGRAMFILES%\Alwil Software\Avast4\images\main_01.jpg [] SIZE=3254
%PROGRAMFILES%\Alwil Software\Avast4\images\main_02.jpg [] SIZE=377
%PROGRAMFILES%\Alwil Software\Avast4\images\oranz.gif [] MD5=B5181C903D37A6E04B625A13B67F5503 SIZE=59
%PROGRAMFILES%\Alwil Software\Avast4\images\resident.gif [] SIZE=2601
%PROGRAMFILES%\Alwil Software\Avast4\images\setting.gif [] SIZE=3020
%PROGRAMFILES%\Alwil Software\Avast4\images\slogan.gif [] SIZE=1413
%PROGRAMFILES%\Alwil Software\Avast4\images\spacer.gif [] SIZE=43
%PROGRAMFILES%\Alwil Software\Avast4\images\update.gif [] SIZE=3110
%PROGRAMFILES%\Alwil Software\Avast4\images\virusdat.gif [] SIZE=3135
%PROGRAMFILES%\Alwil Software\Avast4\Setup\avast.setup [] SIZE=2494512
%PROGRAMFILES%\Alwil Software\Avast4\Setup\avscan-2df.vpu [] SIZE=865973
%PROGRAMFILES%\Alwil Software\Avast4\Setup\av_pro_core-3f4.vpu [] SIZE=3700997
%PROGRAMFILES%\Alwil Software\Avast4\Setup\av_pro_dll409-17c.vpu [] SIZE=1216757
%PROGRAMFILES%\Alwil Software\Avast4\Setup\av_pro_hlp409-2fe.vpu [] SIZE=171914
%PROGRAMFILES%\Alwil Software\Avast4\Setup\av_pro_pro-293.vpu [] SIZE=249465
%PROGRAMFILES%\Alwil Software\Avast4\Setup\av_pro_skins-13.vpu [] SIZE=440280
%PROGRAMFILES%\Alwil Software\Avast4\Setup\jollyroger.vpu [] SIZE=26006
%PROGRAMFILES%\Alwil Software\Avast4\Setup\jrog-32.vpu [] SIZE=26334
%PROGRAMFILES%\Alwil Software\Avast4\Setup\news409-32.vpu [] SIZE=11490
%PROGRAMFILES%\Alwil Software\Avast4\Setup\part-jrog-32.vpu [] SIZE=305
%PROGRAMFILES%\Alwil Software\Avast4\Setup\part-news-4b.vpu [] SIZE=217
%PROGRAMFILES%\Alwil Software\Avast4\Setup\part-prg_av_pro-44a.vpu [] SIZE=7384
%PROGRAMFILES%\Alwil Software\Avast4\Setup\part-setup_av_pro-44a.vpu [] SIZE=306
%PROGRAMFILES%\Alwil Software\Avast4\Setup\part-vps-8032100.vpu [] SIZE=656
%PROGRAMFILES%\Alwil Software\Avast4\Setup\prod-av_pro.vpu [] SIZE=642
%PROGRAMFILES%\Alwil Software\Avast4\Setup\servers.def [] SIZE=26223
%PROGRAMFILES%\Alwil Software\Avast4\Setup\servers.def.lkg [] SIZE=26223
%PROGRAMFILES%\Alwil Software\Avast4\Setup\servers.def.vpu [] SIZE=2248
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setiface.dll [] SIZE=127024
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setiface.ovr [] SIZE=127024
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setif_av_pro-44a.vpu [] SIZE=64706
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setup.ini [] SIZE=1154
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setup.log [] SIZE=475886
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setup.ovr [] SIZE=2494512
%PROGRAMFILES%\Alwil Software\Avast4\Setup\setup_av_pro-44a.vpu [] SIZE=656678
%PROGRAMFILES%\Alwil Software\Avast4\Setup\summary.txt [] SIZE=157
%PROGRAMFILES%\Alwil Software\Avast4\Setup\vps-8032100.vpu [] SIZE=12736486
%PROGRAMFILES%\Alwil Software\Avast4\Setup\vpsm-8032100.vpu [] MD5=5D90903485FFE9B896CDB72DF2656D57 SIZE=133
%PROGRAMFILES%\Alwil Software\Avast4\Setup\winsys-2.vpu [] SIZE=313181
%PROGRAMFILES%\Alwil Software\Avast4\Setup\winsysgui-2.vpu [] SIZE=681352
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AavmKer4.inf [] SIZE=1683
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\Aavmker4.sys [] MD5=D301F57713A0F6F8A3295AE6EBB69617 SIZE=26624
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\aswMon.sys [] SIZE=93264
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AswMon2.inf [] SIZE=1677
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\aswMon2.sys [] SIZE=94544
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AswMonFlt.inf [] SIZE=2349
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\aswMonFlt.sys [] SIZE=45648
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AswRdr.sys [] MD5=7BAB4923CABB4404BF05FD111E75E49B SIZE=23152
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AswTdi.sys [] SIZE=42912
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AMD64\Aavmker4.sys [] SIZE=24656
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AMD64\aswMon2.sys [] SIZE=75856
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AMD64\aswMonFlt.sys [] SIZE=55888
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AMD64\aswRdr.sys [] SIZE=27216
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\AMD64\aswTdi.sys [] SIZE=48720
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\IA64\aswMonFlt.sys [] MD5=CA2397B7FF6675C981782502CFA620AE SIZE=115792
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\IA64\aswRdr.sys [] SIZE=55376
%PROGRAMFILES%\Alwil Software\Avast4\Setup\INF\IA64\aswTdi.sys [] SIZE=103504

End of Report

Remove Process:

Preparing structures
Remove Affiliate tracking cookie 
Done


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## qoolio (Mar 16, 2008)

Installed and ran Combo fix and so far explorer no longer twitches. Here's the log file:

ComboFix 08-03-22.3 - User 2008-03-23 19:53:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1565 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eyldrkeh.ini
C:\WINDOWS\system32\eyldrkeh.ini2
C:\WINDOWS\system32\eyldrkeh.tmp
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\rnpcbttn.dll
C:\WINDOWS\system32\sfmipflm.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 19:55 . 2008-03-23 19:55	6,736	--a------	C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-03-21 23:58 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2008-03-21 23:58 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-21 23:58 . 2004-08-03 22:58	15,104	--a--c---	C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-21 23:58 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2008-03-21 23:22 . 2008-03-21 23:22	0	--a------	C:\WINDOWS\OpPrintServer.INI
2008-03-21 23:13 . 2008-03-21 23:37 d--------	C:\Program Files\Canon
2008-03-20 22:10 . 2006-10-05 10:42	2,560	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-20 22:10 . 2006-10-05 10:42	2,432	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-20 21:50 . 2008-03-20 22:06 d--------	C:\Documents and Settings\User\Application Data\Nokia Multimedia Player
2008-03-20 21:48 . 2008-03-20 21:48 d--------	C:\Documents and Settings\User\Application Data\gtk-2.0
2008-03-20 21:47 . 2008-03-20 21:47 d--------	C:\Documents and Settings\User\.thumbnails
2008-03-20 21:40 . 2008-03-20 21:40 d--------	C:\Documents and Settings\User\Phone Browser
2008-03-20 21:36 . 2008-03-20 21:39 d--------	C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-20 21:35 . 2008-03-20 21:42 d--------	C:\Documents and Settings\User\Application Data\Nokia
2008-03-20 21:32 . 2008-03-20 21:32 d--------	C:\Program Files\Common Files\PCSuite
2008-03-20 21:32 . 2008-03-20 21:32 d--------	C:\Program Files\Common Files\Nokia
2008-03-20 21:30 . 2008-03-20 21:30 d--------	C:\Program Files\PC Connectivity Solution
2008-03-20 21:30 . 2008-03-20 21:41 d--------	C:\Documents and Settings\User\Application Data\PC Suite
2008-03-20 21:29 . 2008-03-20 21:32 d--------	C:\Program Files\Nokia
2008-03-20 21:29 . 2007-02-22 11:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-20 21:29 . 2007-02-22 11:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2008-03-20 21:29 . 2007-02-22 11:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-20 21:29 . 2007-02-22 11:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-20 21:29 . 2007-02-22 11:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-20 21:29 . 2007-02-22 11:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-20 21:28 . 2008-03-20 21:28 d--------	C:\Documents and Settings\All Users\Application Data\Installations
2008-03-20 20:10 . 2008-03-20 20:12 d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-03-20 18:00 . 2008-03-20 18:02 d--------	C:\Program Files\Crawler
2008-03-20 17:58 . 2008-03-20 17:58	138,752	--a------	C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 17:57 . 2008-03-23 19:01 d--------	C:\Program Files\Spyware Terminator
2008-03-20 17:57 . 2008-03-23 19:01 d--------	C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-03-20 17:57 . 2008-03-22 00:07 d--------	C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-20 17:54 . 2008-03-20 17:54	307,968	--a------	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-20 17:54 . 2008-02-27 13:15	28,416	--a------	C:\WINDOWS\system32\uxtuneup.dll
2008-03-20 07:48 . 2008-03-20 07:49	10,752	--a------	C:\WINDOWS\DCEBoot.exe
2008-03-16 17:25 . 2008-03-17 18:32 d--------	C:\Program Files\UPHClean
2008-03-16 17:06 . 2008-03-16 17:06 d--------	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-16 14:04 . 2008-03-16 14:04 d--------	C:\Program Files\Spybot - Search & Destroy
2008-03-16 14:04 . 2008-03-16 14:11 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 08:16 . 2008-03-16 08:16 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-16 08:15 . 2008-03-16 08:15 d--------	C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-15 22:17 . 2008-03-15 22:17 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-14 23:26 . 2008-03-14 23:26 d--------	C:\Documents and Settings\User\Application Data\Thunderbird
2008-03-14 23:25 . 2008-03-21 20:23 d--------	C:\Program Files\Mozilla Thunderbird
2008-03-14 21:00 . 2008-03-14 23:19 d--------	C:\Documents and Settings\User\.housecall6.6
2008-03-14 20:56 . 2008-03-14 20:56 d--------	C:\WINDOWS\Sun
2008-03-13 20:39 . 2008-03-20 22:09 d--------	C:\Program Files\Google
2008-03-13 19:42 . 2008-03-20 21:59 d--------	C:\Documents and Settings\User\.gimp-2.4
2008-03-13 19:12 . 2008-03-13 19:11	213,504	--a------	C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-13 19:12 . 2008-03-13 19:21	2,163	--a------	C:\WINDOWS\SaintPaint.INI
2008-03-13 16:08 . 2008-03-13 16:12 d--------	C:\Program Files\real
2008-03-13 12:38 . 2008-03-13 12:38	1,320,277	---hs----	C:\WINDOWS\system32\cekfgxkb.ini
2008-03-13 11:27 . 2007-12-07 10:21	6,066,176	-----c---	C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-13 11:27 . 2007-07-01 11:31	2,455,488	-----c---	C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-13 11:27 . 2007-07-01 11:36	991,232	-----c---	C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-13 11:27 . 2007-12-07 10:21	459,264	-----c---	C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-13 11:27 . 2007-12-07 10:21	383,488	-----c---	C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-13 11:27 . 2007-12-07 10:21	267,776	-----c---	C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-13 11:27 . 2007-12-07 10:21	63,488	-----c---	C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-13 11:27 . 2007-12-07 10:21	52,224	-----c---	C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-13 11:27 . 2007-12-06 19:00	13,824	-----c---	C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-13 06:06 . 2004-08-04 00:56	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-03-13 05:31 . 2007-04-10 10:31	332,672	--a------	C:\WINDOWS\system32\wgatray.exe.bak
2008-03-13 05:31 . 2007-04-10 10:30	200,064	--a------	C:\WINDOWS\system32\wgalogon.dll.bak
2008-03-13 00:40 . 2008-03-13 00:40	2,320,640	--a------	C:\WINDOWS\system32\TUKernel.exe
2008-03-13 00:31 . 2008-03-13 00:31 d--------	C:\Documents and Settings\User\Application Data\TuneUp Software
2008-03-13 00:30 . 2008-03-20 17:55 d--------	C:\Program Files\TuneUp Utilities 2008
2008-03-13 00:30 . 2008-03-13 00:30 d--------	C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-12 22:49 . 2008-03-23 20:00 d--------	C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-03-12 22:44 . 2008-03-12 22:45 d--------	C:\Program Files\OpenOffice.org 2.3
2008-03-12 22:44 . 2008-02-22 02:33	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-03-12 22:43 . 2008-03-15 21:21 d--------	C:\Program Files\Java
2008-03-12 22:43 . 2008-03-12 22:43 d--------	C:\Program Files\Common Files\Java
2008-03-12 21:07 . 2004-08-04 00:56	22,528	--a------	C:\WINDOWS\system32\wsock32.dlb
2008-03-12 21:06 . 2008-03-14 20:48 d--------	C:\Documents and Settings\All Users\Application Data\BOC425
2008-03-12 21:06 . 2007-11-26 10:38	238,848	--a------	C:\WINDOWS\UNBOC.EXE
2008-03-12 21:06 . 2007-05-08 17:01	208,896	--a------	C:\WINDOWS\CMDLIC.DLL
2008-03-12 21:06 . 2008-03-23 19:58	9,292	--a------	C:\WINDOWS\BOC425.INI
2008-03-12 20:53 . 2008-03-12 21:06 d--------	C:\Program Files\COMODO
2008-03-12 20:53 . 2008-03-12 20:53 d--------	C:\Documents and Settings\User\Application Data\Comodo
2008-03-12 20:53 . 2008-03-13 00:57 d--------	C:\Documents and Settings\All Users\Application Data\comodo
2008-03-12 20:53 . 2008-03-15 13:54	139,008	--a------	C:\WINDOWS\system32\guard32.dll
2008-03-12 20:53 . 2008-03-15 13:54	85,112	--a------	C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-12 20:53 . 2008-03-15 13:54	23,800	--a------	C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-12 20:20 . 2008-03-21 20:32	1,289	--a------	C:\WINDOWS\mozver.dat
2008-03-12 20:00 . 2008-03-13 15:06 d--h-----	C:\WINDOWS\$hf_mig$
2008-03-12 19:52 . 2008-03-21 23:38 d--------	C:\Documents and Settings\User\Application Data\BitTorrent
2008-03-12 19:51 . 2008-03-12 19:51 d--------	C:\Program Files\DNA
2008-03-12 19:51 . 2008-03-12 19:51 d--------	C:\Program Files\BitTorrent
2008-03-12 19:51 . 2008-03-17 20:44 d--------	C:\Documents and Settings\User\Application Data\DNA
2008-03-12 19:43 . 2008-03-12 19:43	0	--a------	C:\WINDOWS\nsreg.dat
2008-03-12 19:34 . 2007-07-30 19:19	43,352	--a------	C:\WINDOWS\system32\wups2.dll
2008-03-12 19:34 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2008-03-12 19:34 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-12 19:34 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2008-03-12 19:34 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-12 19:29 . 2008-03-12 19:29 d--hs----	C:\Documents and Settings\User\UserData
2008-03-11 18:07 . 2008-03-11 18:07 d--------	C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-03-11 18:06 . 2008-03-17 17:40 d--------	C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 15:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-21 15:11	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-03-11 08:21	---------	d-----w	C:\Program Files\DIFX
2008-03-11 08:18	---------	d-----w	C:\Program Files\Realtek
2008-03-11 08:06	---------	d-----w	C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31a83eaf-0b25-4071-b31e-027d92dc7495}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DA42E0A-B483-4176-BAC2-9D06B98F9139}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB82E225-FB29-411E-A059-689752B0F1D0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 15:35 7630848]
"nwiz"="nwiz.exe" [2006-08-16 15:35 1617920 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-16 15:35 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-15 13:48 1503488]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 10:38 342272]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusqpo]
wvusqpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"003aa0bc"=rundll32.exe "C:\WINDOWS\system32\hekrdlye.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-15 13:54]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-15 13:54]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-20 17:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-03-23 12:00:08 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 19:59:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\system32\drivers

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-03-23 20:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-23 12:06:39
.
2008-03-13 03:34:45	--- E O F ---


----------



## Cookiegal (Aug 27, 2003)

Please run the MGA Diagnostic Tool and post back the report it creates:
Download *MGADiag* to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.


----------



## qoolio (Mar 16, 2008)

My office PC was having the same problem as my home PC so I did a combo fix on it. Explorer.exe no longer crashes. Here's the report from Combo fix:

ComboFix 08-03-23.2 - Nasri 2008-03-24 11:04:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.120 [GMT 8:00]
Running from: C:\Documents and Settings\Nasri\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\Program Files\iolo\Common\Lib\ioloHL.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nasri\Application Data\macromedia\Flash Player\#SharedObjects\4CCCRWDK\iforex.com
C:\Documents and Settings\Nasri\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drmgs.sys
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\jkkkheb.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Service_NPF
-------\Service_perfmons
-------\Service_Routing

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-17 12:21 . 2008-03-17 12:21 d--------	C:\Program Files\UPHClean
2008-03-11 14:37 . 2008-03-11 14:37 d--------	C:\Program Files\Softland
2008-03-11 14:37 . 2008-02-11 16:14	7,477	--a------	C:\WINDOWS\system32\dopdf6.ctm
2008-03-10 15:07 . 2008-03-10 15:07	0	--a------	C:\WINDOWS\Irremote.ini
2008-03-10 15:00 . 2008-03-10 15:00 d--------	C:\Program Files\FPDFC
2008-03-10 13:22 . 2008-03-10 14:04	69	--a------	C:\WINDOWS\NeroDigital.ini
2008-03-10 13:07 . 2008-03-10 15:12 d--------	C:\Program Files\Common Files\Nero
2008-03-10 13:07 . 2008-03-10 15:12 d--------	C:\Documents and Settings\All Users\Application Data\Nero
2008-03-10 12:44 . 2008-03-10 12:44 d--------	C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-06 15:17 . 2004-10-08 09:16	35,840	--a------	C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-03-06 15:12 . 2008-03-06 15:13 d--------	C:\Program Files\HP Photosmart 11
2008-03-03 11:55 . 2008-03-03 11:55 d--------	C:\Documents and Settings\LocalService\Application Data\McAfee
2008-02-29 12:01 . 2008-02-29 12:01 d--------	C:\Documents and Settings\Nasri\Application Data\McAfee
2008-02-26 14:14 . 2008-02-26 14:14	125	--a------	C:\ioSpecial.ini
2008-02-26 11:31 . 2008-02-26 11:31 d--------	C:\Program Files\bfgclient
2008-02-26 11:31 . 2008-02-26 11:45 d--------	C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2008-02-25 14:47 . 2008-03-18 14:02	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-02-25 14:47 . 2008-02-25 14:47	1,409	--a------	C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 06:28	---------	d-----w	C:\Program Files\McAfee
2008-03-19 04:29	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-18 22:37	---------	d-----w	C:\Documents and Settings\Nasri\Application Data\uTorrent
2008-03-17 04:26	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-10 07:12	---------	d-----w	C:\Program Files\Nero
2008-03-10 05:13	---------	d-----w	C:\Documents and Settings\Nasri\Application Data\Nero
2008-03-10 04:45	---------	d-----w	C:\Program Files\Common Files\Ahead
2008-03-10 04:45	---------	d-----w	C:\Program Files\Ahead
2008-03-06 07:16	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-03-03 06:26	286,720	------w	C:\WINDOWS\Setup1.exe
2008-03-03 04:22	---------	d-----w	C:\Documents and Settings\Nasri\Application Data\Canon
2008-02-29 04:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-26 06:14	---------	d-----w	C:\Program Files\Finders Keepers
2008-02-26 03:15	---------	d-----w	C:\Program Files\TuneUp Utilities 2008
2008-02-26 02:54	---------	d-----w	C:\Program Files\MSN Messenger
2008-02-26 02:52	---------	d-----w	C:\Program Files\ICQToolbar
2008-02-18 02:50	---------	d-----w	C:\Program Files\QuickTime
2008-02-18 02:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-12 04:15	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-02-12 04:15	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-12 03:39	691,545	----a-w	C:\WINDOWS\unins000.exe
2008-02-12 02:36	---------	d-----w	C:\Documents and Settings\Nasri\Application Data\SiteAdvisor
2008-02-12 02:36	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-02-05 07:04	---------	d-----w	C:\Program Files\SiteAdvisor
2008-02-05 02:50	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\ICQ Toolbar
2008-02-04 05:29	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-04 05:26	---------	d-----w	C:\Program Files\Common Files\McAfee
2008-02-04 05:25	---------	d-----w	C:\Program Files\McAfee.com
2008-02-03 04:16	306,432	----a-w	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-01 07:12	---------	d-----w	C:\Program Files\TweakNow RegCleaner Std
2008-02-01 05:45	---------	d-----w	C:\Program Files\Last.fm
2008-01-28 06:37	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Last.fm
2008-01-25 04:41	---------	d-----w	C:\Documents and Settings\Nasri\Application Data\ICQ Toolbar
2008-01-11 05:05	25,600	----a-w	C:\WINDOWS\system32\Partizan.exe
2008-01-08 04:24	117,672	-c--a-w	C:\Documents and Settings\Nasri\Application Data\GDIPFONTCACHEV1.DAT
2006-10-23 05:29	25,600	-c--a-w	C:\Documents and Settings\Nasri\usbsermptxp.sys
2006-10-23 05:29	22,768	-c--a-w	C:\Documents and Settings\Nasri\usbsermpt.sys
2006-10-04 03:00	144,465	-c--a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2006_10_03_14_03_07_small.dmp.zip
2006-09-27 04:02	133,486	-c--a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_27_11_49_45_small.dmp.zip
2006-04-19 08:22	111,081	-c--a-w	C:\WINDOWS\Internet Logs\BitComet_2nd_2006_04_19_13_33_33_small.dmp.zip
2006-01-24 01:59	128,955	-c--a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2006_01_23_16_19_11_small.dmp.zip
2005-06-27 04:21	266	-c-h--w	C:\Program Files\desktop.ini
2005-06-27 04:21	11,079	-c-h--w	C:\Program Files\folder.htt
2005-05-28 02:16	1,112	-c--a-w	C:\Documents and Settings\Nasri\Application Data\ViewerApp.dat
2004-10-29 16:11	5,492,736	-c--a-w	C:\WINDOWS\inf\oem4097.exe
2004-08-20 11:09	62,865	-c--a-w	C:\WINDOWS\inf\IM\odysseyIM3.sys
2004-08-20 11:09	45,056	-c--a-w	C:\WINDOWS\inf\IM\imdinst.exe
2004-08-20 11:09	12,739	-c--a-w	C:\WINDOWS\inf\IM\odNetInstall.dll
2003-08-27 06:19	36,963	-c--a-r	C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-01-01 21:31 986112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Mozilla Firefox\firefox.exe" [2008-02-11 15:16 7655024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 16:31 67584 C:\WINDOWS\SOUNDMAN.EXE]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07 8491008]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-23 03:49 188416]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 01:07 81920]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-25 05:57 36640]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" [2002-11-23 03:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-23 03:50 49152]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 09:17 443968]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2005-04-19 10:59 188459]

C:\Documents and Settings\Nasri\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-28 14:31:32 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoostSpeed]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=

R0 XPacket;iolo Personal Firewall Driver;C:\WINDOWS\system32\xpacket.sys [2007-02-06 16:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 20:00]
R3 EZUSB;EZUSB PC/SC Smart Card Reader;C:\WINDOWS\system32\DRIVERS\ezusb.sys [2004-09-23 20:06]
R3 TNET1130;D-Link AirPlus G+ Wireless Adapter;C:\WINDOWS\system32\DRIVERS\GPlus.sys [2004-05-21 16:59]
S3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-08-20 19:09]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-01-15 14:45]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys []
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-03 12:16]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6afc8f0e-d670-11da-8e8d-001109ce3aff}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 09:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-03-24 02:42:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-24 03:11:43 C:\WINDOWS\Tasks\HP Usg Login.job"
- C:\Program Files\hp photosmart 11\printer\Hphusg04.exe
"2008-02-04 05:25:54 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-29 17:00:10 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 11:12:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\iavlsp.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-24 11:15:04 - machine was rebooted [Nasri]
ComboFix-quarantined-files.txt 2008-03-24 03:15:01
.
2008-03-17 05:23:23	--- E O F ---

I also ran the MGA diagnostic tool and here's the log:

Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-C37RG-CGYCH-RC86G
Windows Product Key Hash: lTi2NeVHrILPmLVV5cXipdNwWd8=
Windows Product ID: 76487-OEM-2253673-26706
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {4A6FB0EB-1F0C-464E-9105-0C3B0BFBF5D2}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.18.5
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-171-1_E2AD56EA-337-8009_E2AD56EA-338-2f0d_16E0B333-89-80004005_B4D0AA8B-888-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\crypt32.dll[5.131.2600.2180]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4A6FB0EB-1F0C-464E-9105-0C3B0BFBF5D2}</UGUID><Version>1.7.0069.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-RC86G</PKey><PID>76487-OEM-2253673-26706</PID><PIDType>3</PIDType><SID>S-1-5-21-2052111302-1993962763-839522115</SID><SYSTEM><Manufacturer>MICRO-STAR INC.</Manufacturer><Model>MS-6788</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V6.1 on 07.00T</Version><SMBIOSVersion major="2" minor="3"/><Date>20050105000000.000000+000</Date></BIOS><HWID>44BF336F01848E5D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Malay Peninsula Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>2B1F0926FBE9B30</Val><Hash>WQ10EzuCXb3PyeQsg+wEloxU9uQ=</Hash><Pid>54186-OEM-1793735-81272</Pid><PidType>4</PidType></Product><Product GUID="{91190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>3E85CDBF1F2D0B0</Val><Hash>yalaEZ/OadigCapF3rmC7SDVkIE=</Hash><Pid>54197-OEM-1695581-69272</Pid><PidType>4</PidType></Product></Products></Office></Software></GenuineResults>


----------



## qoolio (Mar 16, 2008)

I ran combo fix again cause explorer was twitching..now it has rebooted and all i get is a black screen, and the mouse pointer???!!!

I ran the windows recovery console and disabled agp440.sys. It was the last file that tried to boot. Now the blank screen and pointer is gone and everything starts up fine.


----------



## Cookiegal (Aug 27, 2003)

I'm confused now about which computer you had the problem on after running ComboFix. It's too difficult to work on two computers in the same thread. I will split them to a new thread once I know which posts belong. I would also like to see a HijackThis log from the office computer. You can post it here and I will split them off.


----------



## qoolio (Mar 16, 2008)

I've got both (home and office ) PCs working fine now.


----------



## Cookiegal (Aug 27, 2003)

There's still a problem with the one you posted the last ComboFix from.

Are you using a flash or external drive? If so, insert it and do the following:

Download *Flash_Disinfector.exe by sUBs* from *here* and save it to your desktop.
 Double-click *Flash_Disinfector.exe* to run it and follow any prompts that may appear.
 The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
 Wait until it has finished scanning and then exit the program.
 Reboot your computer when done.
*Note*: _Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection._

Open Notepad and copy and paste the text in the code box below into it:


```
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6afc8f0e-d670-11da-8e8d-001109ce3aff}]
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## qoolio (Mar 16, 2008)

Here's the combo fix log for my home puter:
ComboFix 08-03-22.3 - User 2008-03-28 18:57:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1511 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-26 08:11 . 2008-03-26 08:11	262,144	--a------	C:\WINDOWS\system32\default_user_class.dat
2008-03-25 20:21 . 2008-03-28 18:27	69	--a------	C:\WINDOWS\NeroDigital.ini
2008-03-25 08:00 . 2008-03-25 08:00 d--------	C:\Program Files\MSXML 6.0
2008-03-23 20:22 . 2008-03-25 08:01	2,359,350	--a------	C:\WINDOWS\PhotoFiltre-Wallpaper.bmp
2008-03-21 23:58 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2008-03-21 23:58 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-21 23:58 . 2004-08-03 22:58	15,104	--a--c---	C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-21 23:58 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2008-03-21 23:22 . 2008-03-21 23:22	0	--a------	C:\WINDOWS\OpPrintServer.INI
2008-03-21 23:13 . 2008-03-21 23:37 d--------	C:\Program Files\Canon
2008-03-20 22:10 . 2006-10-05 10:42	2,560	---------	C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-20 22:10 . 2006-10-05 10:42	2,432	---------	C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-20 21:50 . 2008-03-23 21:19 d--------	C:\Documents and Settings\User\Application Data\Nokia Multimedia Player
2008-03-20 21:48 . 2008-03-20 21:48 d--------	C:\Documents and Settings\User\Application Data\gtk-2.0
2008-03-20 21:47 . 2008-03-20 21:47 d--------	C:\Documents and Settings\User\.thumbnails
2008-03-20 21:40 . 2008-03-20 21:40 d--------	C:\Documents and Settings\User\Phone Browser
2008-03-20 21:36 . 2008-03-20 21:39 d--------	C:\Documents and Settings\All Users\Application Data\PC Suite
2008-03-20 21:35 . 2008-03-20 21:42 d--------	C:\Documents and Settings\User\Application Data\Nokia
2008-03-20 21:32 . 2008-03-20 21:32 d--------	C:\Program Files\Common Files\PCSuite
2008-03-20 21:32 . 2008-03-20 21:32 d--------	C:\Program Files\Common Files\Nokia
2008-03-20 21:30 . 2008-03-20 21:30 d--------	C:\Program Files\PC Connectivity Solution
2008-03-20 21:30 . 2008-03-20 21:41 d--------	C:\Documents and Settings\User\Application Data\PC Suite
2008-03-20 21:29 . 2008-03-20 21:32 d--------	C:\Program Files\Nokia
2008-03-20 21:29 . 2007-02-22 11:15	137,216	--a------	C:\WINDOWS\system32\drivers\nmwcd.sys
2008-03-20 21:29 . 2007-02-22 11:15	90,624	--a------	C:\WINDOWS\system32\nmwcdcls.dll
2008-03-20 21:29 . 2007-02-22 11:15	65,536	--a------	C:\WINDOWS\system32\nmwcdcocls.dll
2008-03-20 21:29 . 2007-02-22 11:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-03-20 21:29 . 2007-02-22 11:15	12,288	--a------	C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-03-20 21:29 . 2007-02-22 11:15	8,320	--a------	C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-03-20 21:28 . 2008-03-20 21:28 d--------	C:\Documents and Settings\All Users\Application Data\Installations
2008-03-20 20:10 . 2008-03-20 20:12 d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-03-20 18:00 . 2008-03-20 18:02 d--------	C:\Program Files\Crawler
2008-03-20 17:58 . 2008-03-20 17:58	138,752	--a------	C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 17:57 . 2008-03-23 19:01 d--------	C:\Program Files\Spyware Terminator
2008-03-20 17:57 . 2008-03-23 19:01 d--------	C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-03-20 17:57 . 2008-03-22 00:07 d--------	C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-20 17:54 . 2008-03-20 17:54	307,968	--a------	C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-20 17:54 . 2008-02-27 13:15	28,416	--a------	C:\WINDOWS\system32\uxtuneup.dll
2008-03-20 07:48 . 2008-03-20 07:49	10,752	--a------	C:\WINDOWS\DCEBoot.exe
2008-03-16 17:25 . 2008-03-17 18:32 d--------	C:\Program Files\UPHClean
2008-03-16 17:06 . 2008-03-16 17:06 d--------	C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-16 14:04 . 2008-03-16 14:04 d--------	C:\Program Files\Spybot - Search & Destroy
2008-03-16 14:04 . 2008-03-16 14:11 d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 08:16 . 2008-03-16 08:16 d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-16 08:15 . 2008-03-16 08:15 d--------	C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2008-03-15 22:17 . 2008-03-15 22:17 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-14 23:26 . 2008-03-14 23:26 d--------	C:\Documents and Settings\User\Application Data\Thunderbird
2008-03-14 23:25 . 2008-03-21 20:23 d--------	C:\Program Files\Mozilla Thunderbird
2008-03-14 21:00 . 2008-03-14 23:19 d--------	C:\Documents and Settings\User\.housecall6.6
2008-03-14 20:56 . 2008-03-14 20:56 d--------	C:\WINDOWS\Sun
2008-03-13 20:39 . 2008-03-20 22:09 d--------	C:\Program Files\Google
2008-03-13 19:42 . 2008-03-20 21:59 d--------	C:\Documents and Settings\User\.gimp-2.4
2008-03-13 19:12 . 2008-03-13 19:11	213,504	--a------	C:\WINDOWS\system32\SpoonUninstall.exe
2008-03-13 19:12 . 2008-03-13 19:21	2,163	--a------	C:\WINDOWS\SaintPaint.INI
2008-03-13 16:08 . 2008-03-13 16:12 d--------	C:\Program Files\real
2008-03-13 12:38 . 2008-03-13 12:38	1,320,277	---hs----	C:\WINDOWS\system32\cekfgxkb.ini
2008-03-13 11:27 . 2007-12-07 10:21	6,066,176	-----c---	C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-13 11:27 . 2007-07-01 11:31	2,455,488	-----c---	C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-13 11:27 . 2007-07-01 11:36	991,232	-----c---	C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-13 11:27 . 2007-12-07 10:21	459,264	-----c---	C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-13 11:27 . 2007-12-07 10:21	383,488	-----c---	C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-13 11:27 . 2007-12-07 10:21	267,776	-----c---	C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-13 11:27 . 2007-12-07 10:21	63,488	-----c---	C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-13 11:27 . 2007-12-07 10:21	52,224	-----c---	C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-13 11:27 . 2007-12-06 19:00	13,824	-----c---	C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-13 06:06 . 2004-08-04 00:56	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-03-13 05:31 . 2007-04-10 10:31	332,672	--a------	C:\WINDOWS\system32\wgatray.exe.bak
2008-03-13 05:31 . 2007-04-10 10:30	200,064	--a------	C:\WINDOWS\system32\wgalogon.dll.bak
2008-03-13 00:40 . 2008-03-13 00:40	2,320,640	--a------	C:\WINDOWS\system32\TUKernel.exe
2008-03-13 00:31 . 2008-03-13 00:31 d--------	C:\Documents and Settings\User\Application Data\TuneUp Software
2008-03-13 00:30 . 2008-03-20 17:55 d--------	C:\Program Files\TuneUp Utilities 2008
2008-03-13 00:30 . 2008-03-13 00:30 d--------	C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-03-12 22:49 . 2008-03-28 18:00 d--------	C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-03-12 22:44 . 2008-03-12 22:45 d--------	C:\Program Files\OpenOffice.org 2.3
2008-03-12 22:44 . 2008-02-22 02:33	69,632	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-03-12 22:43 . 2008-03-15 21:21 d--------	C:\Program Files\Java
2008-03-12 22:43 . 2008-03-12 22:43 d--------	C:\Program Files\Common Files\Java
2008-03-12 21:07 . 2004-08-04 00:56	22,528	--a------	C:\WINDOWS\system32\wsock32.dlb
2008-03-12 21:06 . 2008-03-14 20:48 d--------	C:\Documents and Settings\All Users\Application Data\BOC425
2008-03-12 21:06 . 2007-11-26 10:38	238,848	--a------	C:\WINDOWS\UNBOC.EXE
2008-03-12 21:06 . 2007-05-08 17:01	208,896	--a------	C:\WINDOWS\CMDLIC.DLL
2008-03-12 21:06 . 2008-03-28 18:58	9,054	--a------	C:\WINDOWS\BOC425.INI
2008-03-12 20:53 . 2008-03-12 21:06 d--------	C:\Program Files\COMODO
2008-03-12 20:53 . 2008-03-12 20:53 d--------	C:\Documents and Settings\User\Application Data\Comodo
2008-03-12 20:53 . 2008-03-13 00:57 d--------	C:\Documents and Settings\All Users\Application Data\comodo
2008-03-12 20:53 . 2008-03-15 13:54	139,008	--a------	C:\WINDOWS\system32\guard32.dll
2008-03-12 20:53 . 2008-03-15 13:54	85,112	--a------	C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-12 20:53 . 2008-03-15 13:54	23,800	--a------	C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-12 20:20 . 2008-03-21 20:32	1,289	--a------	C:\WINDOWS\mozver.dat
2008-03-12 20:00 . 2008-03-13 15:06 d--h-----	C:\WINDOWS\$hf_mig$
2008-03-12 19:52 . 2008-03-25 08:02 d--------	C:\Documents and Settings\User\Application Data\BitTorrent
2008-03-12 19:51 . 2008-03-12 19:51 d--------	C:\Program Files\DNA
2008-03-12 19:51 . 2008-03-12 19:51 d--------	C:\Program Files\BitTorrent
2008-03-12 19:51 . 2008-03-17 20:44 d--------	C:\Documents and Settings\User\Application Data\DNA
2008-03-12 19:43 . 2008-03-12 19:43	0	--a------	C:\WINDOWS\nsreg.dat
2008-03-12 19:34 . 2007-07-30 19:19	43,352	--a------	C:\WINDOWS\system32\wups2.dll
2008-03-12 19:34 . 2007-07-30 19:18	34,136	--a------	C:\WINDOWS\system32\wucltui.dll.mui
2008-03-12 19:34 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-12 19:34 . 2007-07-30 19:19	25,944	--a------	C:\WINDOWS\system32\wuapi.dll.mui
2008-03-12 19:34 . 2007-07-30 19:18	20,312	--a------	C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 15:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-21 15:11	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-03-11 08:21	---------	d-----w	C:\Program Files\DIFX
2008-03-11 08:18	---------	d-----w	C:\Program Files\Realtek
2008-03-11 08:06	---------	d-----w	C:\Program Files\microsoft frontpage
2008-02-23 02:38	43,872	------w	C:\WINDOWS\system32\drivers\pxhelp20.sys
.

((((((((((((((((((((((((((((( [email protected]_20.06.21.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-20 13:29:48	3,262	----a-r	C:\WINDOWS\Installer\{11964613-805F-432D-A12B-169554B793E7}\ARPPRODUCTICON.exe
+ 2008-03-23 13:13:44	3,262	----a-r	C:\WINDOWS\Installer\{11964613-805F-432D-A12B-169554B793E7}\ARPPRODUCTICON.exe
- 2008-03-20 13:31:13	10,134	----a-r	C:\WINDOWS\Installer\{99A40651-0BC2-4095-8F9A-A40FAB224FEF}\ARPPRODUCTICON.exe
+ 2008-03-23 13:14:58	10,134	----a-r	C:\WINDOWS\Installer\{99A40651-0BC2-4095-8F9A-A40FAB224FEF}\ARPPRODUCTICON.exe
- 2008-03-20 13:35:34	15,086	----a-r	C:\WINDOWS\Installer\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\ARPPRODUCTICON.exe
+ 2008-03-23 13:16:05	15,086	----a-r	C:\WINDOWS\Installer\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\ARPPRODUCTICON.exe
+ 2007-05-15 07:43:10	1,320,800	----a-w	C:\WINDOWS\system32\msxml6.dll
+ 2005-09-07 17:03:50	86,728	----a-w	C:\WINDOWS\system32\msxml6r.dll
+ 2008-03-28 10:00:12	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_6dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 13:32 94208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 15:35 7630848]
"nwiz"="nwiz.exe" [2006-08-16 15:35 1617920 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-16 15:35 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-15 13:48 1503488]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 10:38 342272]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusqpo]
wvusqpo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"003aa0bc"=rundll32.exe "C:\WINDOWS\system32\hekrdlye.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-15 13:54]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-15 13:54]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-20 17:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 11:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 19:01:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-28 19:02:25
ComboFix-quarantined-files.txt 2008-03-28 11:01:59
ComboFix2.txt 2008-03-23 12:07:41
.
2008-03-25 00:00:58	--- E O F ---

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:25 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\downloads\Firefox\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1205321471984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2D3A4B9-5BDC-462B-B998-CD5E15BB5BE6}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: wvusqpo - wvusqpo.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7896 bytes


----------

