When browsing folders full of images or video clips on my pc, the pc will stop responding, and the cpu usage goes to 100%. If I quit explorer.exe and relaunch it, it clears up for a bit, then it re-occurs. This behaviour has been going on now for about a month.

I have scanned repeatedly with spybot, AVG, and now (before this post) with Hijack this, and the online scanner 'Housecall'. Here are my HJT logs and the result of the Housecall scan (I did not see a way to save a report here, but it pronounced the pc as clean)

ADVthanksANCE to any and all that can shed light on this. I appreciate it! ;-)

Logfile of HijackThis v1.99.1
Scan saved at 9:15:52 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hi and welcome to the Forums :)

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus.

These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Hi and welcome to the Forums :)

You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus.



Hmmm- I installed and ran AVG some time ago. From the Hijack this log, I see:

e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

(In my first post). IS this not an 'antivirus'? Am I missing something here? I thought I allready DID install and run AVG, as evidenced above.

Mr. Jak - thanks for taking the time to look at this. I see that the AVG antivirus is different from the spyware - I have installed it. Followed your detailed instructions - updated the AVG anti-spyware, rebooted in safe mode. Ran HJT and deleted the entries you suggested, Ran ATF cleaner, and saved log. Ran spyware and saved log, and did a second HJT scan. All are posted here. Hope this makes sense.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:01:51 PM 3/16/2007

+ Scan result:



D:\Local Disk (E)\Documents and Settings\Brian_2\Cookies\brian_2@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 9:05:11 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] e:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ok, after all that , I have verified that the problem still exists. After a few diggs into folder structures, the cpu usage jumps to 100% and I have to quit and relaunch explorer.exe

Hello again :)

I'm sorry for the huge delay, I've been very busy the last two days...


Yes AVG Anti-Spyware isn't an antivirus.

Did you fix thse entries with HijackThis?

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

Mr Jak - thanks for your help. Yes I did delete the HJT entries. I am downloading and scanning with the rootkit you suggested right now. Back to you later...

Mr Jak - here is the root kit report. Don't know what this implies, but here it is.

03/21/07 23:13:45 [Info]: BlackLight Engine 1.0.55 initialized
03/21/07 23:13:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/21/07 23:13:45 [Note]: 7019 4
03/21/07 23:13:45 [Note]: 7005 0
03/21/07 23:13:47 [Note]: 7006 0
03/21/07 23:13:47 [Note]: 7011 1564
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:53 [Note]: FSRAW library version 1.7.1021
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\ali.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cdlock.dll
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cpy.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist_bak
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\DL.BAK
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\EMF_Decrypt.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\fldrvw61.ocx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\install.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\magic.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.chm
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.txx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\MFX.CFG
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx_cfg.org
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\readme.txt
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\systray.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\tb.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:16:32 [Info]: Hidden file: c:\WINDOWS\system32\drivers\MFX.sys
03/21/07 23:16:32 [Note]: 7002 0
03/21/07 23:16:32 [Note]: 7003 1
03/21/07 23:16:32 [Note]: 10002 1


Thanks again for your help with this! ;-)

Hello :)

Ok the Blackligth revealed a rootkit. It is related to this Encrypted Magic Folders (http://www.pc-magic.com/des.htm#emf) software...it is used to encypt and hide files/folders.

There are now a few possibilities:

1. You have installed the program. Are you the administrator/owner of the pc?
2. Someone else has installed the program to hide stuff from you (maybe an attacker)


So do you know anything about the program?

Yes I am the admin of this computer. I installed Magic Folders for privacy reasons on this occaisionally shared pc. I doubt that this program is the problem - I have used it for years on three different pcs now with no problem. I first contacted them with a report of this issue, but they had never heard of such a problem. I uninstalled it for a time, to see if it would cure it but it did not, so I re-installed it.

Strangely, this behaviour seems to only manifest itself in some folder trees, not others.

Ok Magic Folders is ok since you have installed it on purpose.

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Hmmm - well, I set up the scan last night, before going to bed. THis morning the computer was doing things I have never seen before. First, I was presented with a window saying the computer was locked, and I must enter the admin password to get back in. Did that, and was taken back to the running internet explorer process - sort of.

The windows were displayed, but mostly blank. When I moused over various parts of the screen, sometimes content directly under the mouse would become visible. One of these was the small window reporting the results of the scan. Scan took 3 hours, and found tons of stuff that was 'locked' and 'skipped'. It found two items on the 'f' drive (I have multiple drives, some partitioned) that had a little skull next to them, and it reported 2 infected files, and 1 virus. Tried to save the scan report, but the window that popped up (the save dialog box) was again, mostly blank, I moused around and the two buttons at the bottom appeared, but with no text in them. Clicked on one that should have been 'save' no disk activity, and the dialog box would not clear.

Tried ctrl-alt-del to get the task manager, and IT popped up with blank content and buttons as well. At that point, the computer was dead - I could not get anything to respond properly. I could drag thet ghost outline of that box around, but it just smeared the background. Could not close it. Tried the power switch to restart - it did not respond. Had to unplug the computer to get it back up.

So, apparently we found something and pissed it off! OR Kaspesky itself stuck something on the computer with that active x control that screwed up the works. Wierd. I will try the scan again in safe mode tonight.

-confused.

Hello :)

Very interesting.... We could use another scanner...


You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

Ok, something is definitely 'up'. Followed your directions, and ran the scan in safe mode with Dr. Web. Express scan - no problem. Disk scan started, and after about 20 minutes, a window popped up, sayying it had found a trojan in one of the .reg files of the spybot folder. Deleted that, the computer continued its scan. Left it, and came back 20 minutes later, and the screen saver had kicked in. When I moved the mouse, behold - the same - blank windows were back. It was clear that Dr.Web was putting up a second notification dialog, but the buttons and information was blank. Background was blank, and the mouse/keyboard stopped responding. (this was in safe mode!).

Computer would not respond to the power button. Had to unplug it to restart it.

Safe mode again, and started another scan. Tried to disable the screensaver, as both times it did this, it was coming back from the screensaver. I click 'none' in the screensaver panel, then apply, then ok. Re-open the screensaver properties window and it has reset it to the default 10 min! Tried to choose another screen saver, and as soon as I close the window and re-open it - it is back to the original windows xp screen saver.

Tried clicking 'none' then 'apply' and leaving the window open, but the screen saver still re-engaged after 10 minutes.

Can't explain this. But this behaviour is not right. May or may not be related to other problems on this computer. Am running a scan again, but since the screen saver kicks in every 10 minutes, and the scan will take hours, I don't know if this will work (I can't sit here and wiggle the mouse all day).

-still stumped, but trying!!

Appreciate your help Mr J!! hope you are enjoying the puzzle! ;-)

OK, I managed to get a scan on kaspersky to show the files by scanning in safe mode - networking. Didn't see anything there that would allow me to DELETE these files, but I was able to get the log. THese are the two files I saw the other day after a full scan, followed by a crash before I could save the log file.

They are the entries on drive F right at the bottom.

********************************************************

Sunday, March 25, 2007 4:07:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/03/2007
Kaspersky Anti-Virus database records: 285770
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics
Total number of scanned objects 570978
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 03:06:43

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007032520070326\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP181\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE WiseSFX: infected - 1 skipped
Scan was interrupted by user!

*********************************************************

THe Dr. Web scan had only this to say:

Process.exe;C:\Battle of Britain II;Tool.Prockill;;

However, I can verify that this file is fine - it is a process killer installed with Battle of Brittain for relieving the system of unnecessary processes before gameplay - to improve frame rates. I use it occaisionally and it has to be launched manually. Basically a DOS batch shell that stops various windows services. NOT a virus.

So - where does that leave us with the two F files. Should I try and find a delete em? Why do none of the other scanners find em? Specifically AVG.

They look like registry entries - not sure of the best way to dig em out of there. Not sure if they are even related - most of my issues come with browsing folder structures on the E drive....

Hi :)

The "scan freezing" is most likely caused by the screensaver/power save mode...
I've seen similar issues in my friends pc...

Kaspersky found some infections from the System Restore. This can be easily cleaned. And yes you don't have to worry about the process.exe since you use it.

The screensaver problem might be eg some corrupted setting...Does this same issue appear on other user accounts?

>>Kaspersky found some infections from the System Restore. This can be easily cleaned. And yes you don't have to worry about the process.exe since you use it.

Umm - how? There were no options in Kaspersky to do so. Don't know how to do it manually. What is the next step?

PS - I think the screensaver not being able to shut off was related to spybot/teatimer. When I restarted normally, then tried to stop it, I got a teatimer dialog box that I did NOT get under safe mode. At any rate, Kaspersky managed to scan ok.

Hmm - the computer crashed last night - unrelated to any folder browsing (which was a 'crash' of explorer.exe only - not the entire system), or scanning or anything. Had to unplug to get it back. This morning it reported:

"One of the files containing the system's registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

In a pop up window when I started the computer. How do we clean those files out of the registry - too much of a coincidence for my blood.

Hi :)

These errors may be caused by a physical factor too...maybe the harddrive is getting old...

You could do these steps from this list and see if that helps --> Link (http://www.castlecops.com/postitle175256-0-0-.html)
- Check for disk errors
- Check for damaged, altered or missing critical system files
- Defrag your system

Then we'll need to clear your system restore from the malware that was left to there.
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.
Restart your computer normally.
Then we'll enable system restore again.
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Uncheck beside Turn off System Restore on all Drives, and click Apply.
Close the window

Mr Jak - tried all that (except the defrag bit). Turned OFF system restore, then rebooted. Ran the chkdsk on all volumes. THen ran kaspersky again last night. Here is the result.

Saturday, March 31, 2007 6:43:16 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/03/2007
Kaspersky Anti-Virus database records: 289353
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics
Total number of scanned objects 563958
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 02:58:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007033020070331\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\Free Download Manager\tic54.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF1F32.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ACER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{75FDFD2C-0696-4B51-B907-DCCBFCF53666}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT022d7.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT022db.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE WiseSFX: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.



So, either the positives on drive F are false, or we need some other strategy to get rid of em. Can I manually delete these from the registry using regedit?

I tried using the cleanmgr to delete system restore points on drive F - no effect.

I searched for the named file in regedit - no result.

Stumped as to what to do now.

Hi :)

Don't use regedit, you can make damage to your system.

So you turned of system restore....Did you enable it too after the reboot? :bigthumb:

No, system restore is still disabled.

This computer is sliding rapidly downhill. It now crashes several times a day - the type of crash where I have to unplug it to regain control. Often I get dialog boxes saying firefox, or other programs can't be opened because they are not a valid win32 application - and they refuse to launch. This is usually cured by a restart - till next time.

Whats the move? I have had this computer less than six months, and do not look forward to re-installing windows just to fix basic functionality. The only scan that 'found anything' (I am not convinced that it is real - could be a false positive - strange that no other scan - including AVG found anything) was Kaspersky - but it did nothing about it. Seems to be no cure to 'the problem'.

You should enable System Restore.


Hmm we could try with another scanner...

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

It scanned - locked up (had to pull the plug). Scanned again, found only the process.exe - kill file in the Battle of Brittain game folder we found earlier. (Not a malicious file, a batch file for quitting processes to enable better framerates).

In short it did NOT find the two that kaspersky complains about. None of these anti-spyware/virus programs have yet to agree on anything on this computer.

The comptuer has frozen solid 3 times today so far.

Hello :)

Let's see how your harddrive looks...

You could install the free trial of Hddlife (http://www.hddlife.com/eng/download-freeware.html) and run some tests with it. It may shed some light to this problem.

:bigthumb:

Hello :)

Let's see how your harddrive looks...

You could install the free trial of Hddlife (http://www.hddlife.com/eng/download-freeware.html) and run some tests with it. It may shed some light to this problem.

:bigthumb:

No luck. The trial version only allows testing of the 'first drive'. I have three physical drives (Drive 'F:' is the one that kaspersky keeps identifying a virus in the system restore - even though I have disabled SR, rebooted, and re-enabled it)

Hello :)

Sorry for the delay. I thought that I already replied...wonder what happened to my message :spider:

The problem might be caused by overheating too. Have you checked the temperatures?

Install this EVEREST Free Edition 2.20 (http://www.majorgeeks.com/download4181.html)

Run the program -> Computer -> Sensor
Check the temperatures

Well, I thought I may as well do a complete report...the temperatures did not report for the CPU or motherboard, but DID report for the GPU and hard drives. (two of them - the SATA drive did NOT report. However this drive was the only drive tested by HDDlife and it reported fine, and the temperature report was acceptable on it as well).

Note - when my machine starts up, the GPU fan moans quite loudly. This can be 'stopped' by giving it a Fonzie like swat after it has been running awhile. I blew air on all fans yesterday, but it had no effect on the GPU fan. Very, very loud at times.

--------[ EVEREST Home Edition (c) 2003-2005 Lavalys, Inc. ]------------------------------------------------------------

Version EVEREST v2.20.405
Homepage http://www.lavalys.com/
Report Type Report Wizard
Computer ACER (Basement)
Generator Admin
Operating System Microsoft Windows XP Home Edition 5.1.2600 (WinXP Retail)
Date 2007-04-06
Time 09:06


CPU Properties:
CPU Type Intel Pentium 4
CPU Alias Prescott
CPU Stepping G1
Engineering Sample No
CPUID CPU Name Intel(R) Pentium(R) 4 CPU 3.06GHz
CPUID Revision 00000F49h

CPU Speed:
CPU Clock 3060.79 MHz (original: 3066 MHz)
CPU Multiplier 23.0x
CPU FSB 133.08 MHz (original: 133 MHz)
Memory Bus 0.00 MHz

CPU Cache:
L1 Trace Cache 12K Instructions
L1 Data Cache 16 KB
L2 Cache 1 MB (On-Die, ECC, ATC, Full-Speed)

Motherboard Properties:
Motherboard ID 63-0100-000001-00101111-060206-RS400$410M1602_RC410-M2 VER R02-A306/02/2006
Motherboard Name Unknown

Chipset Properties:
Motherboard Chipset ATI Radeon Xpress 200
CAS Latency (CL) 3T

SPD Memory Modules:
DIMM1: Nanya NT1GT64U8HA0BY-37B 1 GB DDR2-533 DDR2 SDRAM (5.0-4-4-12 @ 266 MHz) (4.0-4-4-12 @ 266 MHz) (3.0-3-3-9 @ 200 MHz)
DIMM2 1 GB DDR2-533 DDR2 SDRAM (5.0-4-4-12 @ 266 MHz) (4.0-4-4-12 @ 266 MHz) (3.0-3-3-9 @ 200 MHz)

BIOS Properties:
System BIOS Date 06/02/06
Video BIOS Date 03/17/06
DMI BIOS Version R02-A3


--------[ Power Management ]--------------------------------------------------------------------------------------------

Power Management Properties:
Current Power Source AC Line
Battery Status No Battery
Full Battery Lifetime Unknown
Remaining Battery Lifetime Unknown


--------[ Sensor ]------------------------------------------------------------------------------------------------------

Sensor Properties:
Sensor Type HDD
GPU Sensor Type Driver (NV-DRV)

Temperatures:
GPU 53 °C (127 °F)
Seagate ST3320620A 32 °C (90 °F)
MAXTOR 6L080J4 43 °C (109 °F)


Enabled

Hmm the results showed that your computer should have enough memory and power...I still think that this might be a physical problem...

Let's see this just in case.


Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything

Ok, here it is. (I couldn't launch it via cmd, but ran it by simply double clicking on it in windows)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Steam" = "(empty string)" [file not found]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NaturalPoint" = "C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe" [null data]
"Logitech Hardware Abstraction Layer" = ""C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"" ["Logitech Inc."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Profiler" = "C:\Program Files\Saitek\Software\ProfilerU.exe" ["Saitek"]
"SaiMfd" = "C:\Program Files\Saitek\Software\SaiMfd.exe" ["Saitek"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "e:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AGEIA PhysX SysTray" = "C:\Program Files\AGEIA Technologies\TrayIcon.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" [file not found]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "e:\Program Files\Free Download Manager\iefdmcks.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{C14F7681-33D8-11D3-A09B-00500402F30B}" = "iO"
-> {HKLM...CLSID} = "iO"
\InProcServer32\(Default) = "C:\Program Files\iO\iomenu.dll" [empty string]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540}" = "UltimateZip Shell Extension"
-> {HKLM...CLSID} = "UltimateZip Shell Extension 1"
\InProcServer32\(Default) = "e:\PROGRA~1\ULTIMA~1\uzshlex.dll" [null data]
"{2F860D82-AF3C-11D4-BDB3-00E0987D8540}" = "UltimateZip Drag Drop Handler"
-> {HKLM...CLSID} = "UltimateZip Drag Drop Handler"
\InProcServer32\(Default) = "e:\PROGRA~1\ULTIMA~1\uzshldr.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "E:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "d:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
iO\(Default) = "{C14F7681-33D8-11D3-A09B-00500402F30B}"
-> {HKLM...CLSID} = "iO"
\InProcServer32\(Default) = "C:\Program Files\iO\iomenu.dll" [empty string]
UltimateZip\(Default) = "{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"
-> {HKLM...CLSID} = "UltimateZip Shell Extension 1"
\InProcServer32\(Default) = "e:\PROGRA~1\ULTIMA~1\uzshlex.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "e:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
UltimateZip\(Default) = "{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"
-> {HKLM...CLSID} = "UltimateZip Shell Extension 1"
\InProcServer32\(Default) = "e:\PROGRA~1\ULTIMA~1\uzshlex.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Admin\Start Menu\Programs\Startup
"HDDlife" -> shortcut to: "D:\Program Files\BinarySense\HDDlife\HDDlifePro.exe" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" [file not found]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" [file not found]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "e:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 71 seconds, including 18 seconds for message boxes)

Ok nothing bad in there either ,your system appears to be clean.

This might be physical problem or maybe some faulty driver, software etc....

We can try if reducing the running processes helps.

You may fix all the following entires with HijackThis (not required to load with Windows):

O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

The folders where you have those pics and videos and the pc freezes - how big are the folders ?

:bigthumb:

Ok, after all that - I think the problem was Real Player! I uninstalled it completely, and I can't reproduce any of the issues. Certainly the folder browsing driving CPU to 99% has stopped, and so far (several hours now -a record recently) the computer has not crashed!!

Woo hoo!

Hope this is truly it. Never, repeat never again will anything from Realnetworks touch this machine again.

Thank God I didn't have to re-format etc.

THanks so much for your patient help over the past few weeks. I am now convinced that the machine IS clean, and windows itself may not be damaged.

Again - thank you! :bigthumb:

Hello :)

That's great news. Small things can cause bad problems....

You can remove the tools we used.

Then you should update your Java to the latest version (6u1) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 9
Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)