Explorer.exe using 99% CPU

[bfindlay]

When browsing folders full of images or video clips on my pc, the pc will stop responding, and the cpu usage goes to 100%. If I quit explorer.exe and relaunch it, it clears up for a bit, then it re-occurs. This behaviour has been going on now for about a month.

I have scanned repeatedly with spybot, AVG, and now (before this post) with Hijack this, and the online scanner 'Housecall'. Here are my HJT logs and the result of the Housecall scan (I did not see a way to save a report here, but it pronounced the pc as clean)

ADVthanksANCE to any and all that can shed light on this. I appreciate it! ;-)

Logfile of HijackThis v1.99.1
Scan saved at 9:15:52 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Mr_JAk3]

Hi and welcome to the Forums

You don't have an antivirus on your computer, you must install one antivirus.

These are good (free) antiviruses:

• AVG
• Antivir
• Avast

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware

• On the main screen under Your Computer's security.
  
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
  • Under How to act?
    
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    
    • All checkboxes should be ticked.
  • Under Reports:
    
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

[bfindlay]

Hi and welcome to the Forums

You don't have an antivirus on your computer, you must install one antivirus.

Hmmm- I installed and ran AVG some time ago. From the Hijack this log, I see:

e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

(In my first post). IS this not an 'antivirus'? Am I missing something here? I thought I allready DID install and run AVG, as evidenced above.

[bfindlay]

Mr. Jak - thanks for taking the time to look at this. I see that the AVG antivirus is different from the spyware - I have installed it. Followed your detailed instructions - updated the AVG anti-spyware, rebooted in safe mode. Ran HJT and deleted the entries you suggested, Ran ATF cleaner, and saved log. Ran spyware and saved log, and did a second HJT scan. All are posted here. Hope this makes sense.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:01:51 PM 3/16/2007

+ Scan result:



D:\Local Disk (E)\Documents and Settings\Brian_2\Cookies\brian_2@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 9:05:11 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] e:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[bfindlay]

Ok, after all that , I have verified that the problem still exists. After a few diggs into folder structures, the cpu usage jumps to 100% and I have to quit and relaunch explorer.exe

[Mr_JAk3]

Hello again

I'm sorry for the huge delay, I've been very busy the last two days...


Yes AVG Anti-Spyware isn't an antivirus.

Did you fix thse entries with HijackThis?

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

Download F-Secure Blacklight and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

[bfindlay]

Mr Jak - thanks for your help. Yes I did delete the HJT entries. I am downloading and scanning with the rootkit you suggested right now. Back to you later...

[bfindlay]

Mr Jak - here is the root kit report. Don't know what this implies, but here it is.

03/21/07 23:13:45 [Info]: BlackLight Engine 1.0.55 initialized
03/21/07 23:13:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/21/07 23:13:45 [Note]: 7019 4
03/21/07 23:13:45 [Note]: 7005 0
03/21/07 23:13:47 [Note]: 7006 0
03/21/07 23:13:47 [Note]: 7011 1564
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:53 [Note]: FSRAW library version 1.7.1021
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\ali.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cdlock.dll
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cpy.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist_bak
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\DL.BAK
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\EMF_Decrypt.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\fldrvw61.ocx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\install.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\magic.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.chm
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.txx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\MFX.CFG
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx_cfg.org
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\readme.txt
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\systray.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\tb.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:16:32 [Info]: Hidden file: c:\WINDOWS\system32\drivers\MFX.sys
03/21/07 23:16:32 [Note]: 7002 0
03/21/07 23:16:32 [Note]: 7003 1
03/21/07 23:16:32 [Note]: 10002 1


Thanks again for your help with this! ;-)

[Mr_JAk3]

Hello

Ok the Blackligth revealed a rootkit. It is related to this Encrypted Magic Folders software...it is used to encypt and hide files/folders.

There are now a few possibilities:

1. You have installed the program. Are you the administrator/owner of the pc?
2. Someone else has installed the program to hide stuff from you (maybe an attacker)


So do you know anything about the program?

[bfindlay]

Yes I am the admin of this computer. I installed Magic Folders for privacy reasons on this occaisionally shared pc. I doubt that this program is the problem - I have used it for years on three different pcs now with no problem. I first contacted them with a report of this issue, but they had never heard of such a problem. I uninstalled it for a time, to see if it would cure it but it did not, so I re-installed it.

Strangely, this behaviour seems to only manifest itself in some folder trees, not others.