Explorer.exe using 99% CPU

bfindlay · Mar 13, 2007

When browsing folders full of images or video clips on my pc, the pc will stop responding, and the cpu usage goes to 100%. If I quit explorer.exe and relaunch it, it clears up for a bit, then it re-occurs. This behaviour has been going on now for about a month.

I have scanned repeatedly with spybot, AVG, and now (before this post) with Hijack this, and the online scanner 'Housecall'. Here are my HJT logs and the result of the Housecall scan (I did not see a way to save a report here, but it pronounced the pc as clean)

ADVthanksANCE to any and all that can shed light on this. I appreciate it! ;-)

Logfile of HijackThis v1.99.1
Scan saved at 9:15:52 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Mr_JAk3 · Mar 16, 2007

Hi and welcome to the Forums

You don't have an antivirus on your computer, you must install one antivirus.

These are good (free) antiviruses:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

bfindlay · Mar 16, 2007

Mr_JAk3 said:
Hi and welcome to the Forums

You don't have an antivirus on your computer, you must install one antivirus.

Hmmm- I installed and ran AVG some time ago. From the Hijack this log, I see:

e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

(In my first post). IS this not an 'antivirus'? Am I missing something here? I thought I allready DID install and run AVG, as evidenced above.

bfindlay · Mar 17, 2007

New Scan logs..

Mr. Jak - thanks for taking the time to look at this. I see that the AVG antivirus is different from the spyware - I have installed it. Followed your detailed instructions - updated the AVG anti-spyware, rebooted in safe mode. Ran HJT and deleted the entries you suggested, Ran ATF cleaner, and saved log. Ran spyware and saved log, and did a second HJT scan. All are posted here. Hope this makes sense.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:01:51 PM 3/16/2007

+ Scan result:

D:\Local Disk (E)\Documents and Settings\Brian_2\Cookies\brian_2@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 9:05:11 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - e:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NaturalPoint] C:\Program Files\NaturalPoint\TrackIR4\TrackIR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] e:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://e:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://e:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://e:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

bfindlay · Mar 18, 2007

Problem still exists...

Ok, after all that , I have verified that the problem still exists. After a few diggs into folder structures, the cpu usage jumps to 100% and I have to quit and relaunch explorer.exe

Mr_JAk3 · Mar 21, 2007

Hello again

I'm sorry for the huge delay, I've been very busy the last two days...

Yes AVG Anti-Spyware isn't an antivirus.

Did you fix thse entries with HijackThis?

O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

Download F-Secure Blacklight and save it to your desktop.

Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next

You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).

DON'T choose Rename if something was found!

Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)

bfindlay · Mar 21, 2007

Thanks!

Mr Jak - thanks for your help. Yes I did delete the HJT entries. I am downloading and scanning with the rootkit you suggested right now. Back to you later...

bfindlay · Mar 22, 2007

Root kit report

Mr Jak - here is the root kit report. Don't know what this implies, but here it is.

03/21/07 23:13:45 [Info]: BlackLight Engine 1.0.55 initialized
03/21/07 23:13:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/21/07 23:13:45 [Note]: 7019 4
03/21/07 23:13:45 [Note]: 7005 0
03/21/07 23:13:47 [Note]: 7006 0
03/21/07 23:13:47 [Note]: 7011 1564
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:47 [Note]: 7026 0
03/21/07 23:13:53 [Note]: FSRAW library version 1.7.1021
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\ali.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cdlock.dll
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\cpy.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\dirlist_bak
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\DL.BAK
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\EMF_Decrypt.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\fldrvw61.ocx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\install.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\magic.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.chm
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mf.txx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\MFX.CFG
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\mfx_cfg.org
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\readme.txt
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\systray.exe
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:13:54 [Info]: Hidden file: c:\SYZ_DAT\tb.exe
03/21/07 23:13:54 [Note]: 7002 0
03/21/07 23:13:54 [Note]: 7003 1
03/21/07 23:13:54 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:15:00 [Note]: 10002 3
03/21/07 23:16:32 [Info]: Hidden file: c:\WINDOWS\system32\drivers\MFX.sys
03/21/07 23:16:32 [Note]: 7002 0
03/21/07 23:16:32 [Note]: 7003 1
03/21/07 23:16:32 [Note]: 10002 1

Thanks again for your help with this! ;-)

Mr_JAk3 · Mar 22, 2007

Hello

Ok the Blackligth revealed a rootkit. It is related to this Encrypted Magic Folders software...it is used to encypt and hide files/folders.

There are now a few possibilities:

1. You have installed the program. Are you the administrator/owner of the pc?
2. Someone else has installed the program to hide stuff from you (maybe an attacker)

So do you know anything about the program?

bfindlay · Mar 23, 2007

Rootkit

Yes I am the admin of this computer. I installed Magic Folders for privacy reasons on this occaisionally shared pc. I doubt that this program is the problem - I have used it for years on three different pcs now with no problem. I first contacted them with a report of this issue, but they had never heard of such a problem. I uninstalled it for a time, to see if it would cure it but it did not, so I re-installed it.

Strangely, this behaviour seems to only manifest itself in some folder trees, not others.

Mr_JAk3 · Mar 23, 2007

Ok Magic Folders is ok since you have installed it on purpose.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

bfindlay · Mar 24, 2007

Got something!

Hmmm - well, I set up the scan last night, before going to bed. THis morning the computer was doing things I have never seen before. First, I was presented with a window saying the computer was locked, and I must enter the admin password to get back in. Did that, and was taken back to the running internet explorer process - sort of.

The windows were displayed, but mostly blank. When I moused over various parts of the screen, sometimes content directly under the mouse would become visible. One of these was the small window reporting the results of the scan. Scan took 3 hours, and found tons of stuff that was 'locked' and 'skipped'. It found two items on the 'f' drive (I have multiple drives, some partitioned) that had a little skull next to them, and it reported 2 infected files, and 1 virus. Tried to save the scan report, but the window that popped up (the save dialog box) was again, mostly blank, I moused around and the two buttons at the bottom appeared, but with no text in them. Clicked on one that should have been 'save' no disk activity, and the dialog box would not clear.

Tried ctrl-alt-del to get the task manager, and IT popped up with blank content and buttons as well. At that point, the computer was dead - I could not get anything to respond properly. I could drag thet ghost outline of that box around, but it just smeared the background. Could not close it. Tried the power switch to restart - it did not respond. Had to unplug the computer to get it back up.

So, apparently we found something and pissed it off! OR Kaspesky itself stuck something on the computer with that active x control that screwed up the works. Wierd. I will try the scan again in safe mode tonight.

-confused.

Mr_JAk3 · Mar 25, 2007

Hello

Very interesting.... We could use another scanner...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

bfindlay · Mar 25, 2007

Dang - wierd behaviour.

Ok, something is definitely 'up'. Followed your directions, and ran the scan in safe mode with Dr. Web. Express scan - no problem. Disk scan started, and after about 20 minutes, a window popped up, sayying it had found a trojan in one of the .reg files of the spybot folder. Deleted that, the computer continued its scan. Left it, and came back 20 minutes later, and the screen saver had kicked in. When I moved the mouse, behold - the same - blank windows were back. It was clear that Dr.Web was putting up a second notification dialog, but the buttons and information was blank. Background was blank, and the mouse/keyboard stopped responding. (this was in safe mode!).

Computer would not respond to the power button. Had to unplug it to restart it.

Safe mode again, and started another scan. Tried to disable the screensaver, as both times it did this, it was coming back from the screensaver. I click 'none' in the screensaver panel, then apply, then ok. Re-open the screensaver properties window and it has reset it to the default 10 min! Tried to choose another screen saver, and as soon as I close the window and re-open it - it is back to the original windows xp screen saver.

Tried clicking 'none' then 'apply' and leaving the window open, but the screen saver still re-engaged after 10 minutes.

Can't explain this. But this behaviour is not right. May or may not be related to other problems on this computer. Am running a scan again, but since the screen saver kicks in every 10 minutes, and the scan will take hours, I don't know if this will work (I can't sit here and wiggle the mouse all day).

-still stumped, but trying!!

Appreciate your help Mr J!! hope you are enjoying the puzzle! ;-)

bfindlay · Mar 26, 2007

Kaspersky log

OK, I managed to get a scan on kaspersky to show the files by scanning in safe mode - networking. Didn't see anything there that would allow me to DELETE these files, but I was able to get the log. THese are the two files I saw the other day after a full scan, followed by a crash before I could save the log file.

They are the entries on drive F right at the bottom.

********************************************************

Sunday, March 25, 2007 4:07:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/03/2007
Kaspersky Anti-Virus database records: 285770
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics
Total number of scanned objects 570978
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 03:06:43

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007032520070326\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0552733A-F89A-4830-995C-4F1F8B98C0A2}\RP181\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE WiseSFX: infected - 1 skipped
Scan was interrupted by user!

*********************************************************

THe Dr. Web scan had only this to say:

Process.exe;C:\Battle of Britain II;Tool.Prockill;;

However, I can verify that this file is fine - it is a process killer installed with Battle of Brittain for relieving the system of unnecessary processes before gameplay - to improve frame rates. I use it occaisionally and it has to be launched manually. Basically a DOS batch shell that stops various windows services. NOT a virus.

So - where does that leave us with the two F files. Should I try and find a delete em? Why do none of the other scanners find em? Specifically AVG.

They look like registry entries - not sure of the best way to dig em out of there. Not sure if they are even related - most of my issues come with browsing folder structures on the E drive....

Mr_JAk3 · Mar 26, 2007

Hi

The "scan freezing" is most likely caused by the screensaver/power save mode...
I've seen similar issues in my friends pc...

Kaspersky found some infections from the System Restore. This can be easily cleaned. And yes you don't have to worry about the process.exe since you use it.

The screensaver problem might be eg some corrupted setting...Does this same issue appear on other user accounts?

bfindlay · Mar 27, 2007

>>Kaspersky found some infections from the System Restore. This can be easily cleaned. And yes you don't have to worry about the process.exe since you use it.

Umm - how? There were no options in Kaspersky to do so. Don't know how to do it manually. What is the next step?

PS - I think the screensaver not being able to shut off was related to spybot/teatimer. When I restarted normally, then tried to stop it, I got a teatimer dialog box that I did NOT get under safe mode. At any rate, Kaspersky managed to scan ok.

bfindlay · Mar 27, 2007

Hard crash

Hmm - the computer crashed last night - unrelated to any folder browsing (which was a 'crash' of explorer.exe only - not the entire system), or scanning or anything. Had to unplug to get it back. This morning it reported:

"One of the files containing the system's registry data had to be recovered by use of a log or alternate copy. The recovery was successful."

In a pop up window when I started the computer. How do we clean those files out of the registry - too much of a coincidence for my blood.

Mr_JAk3 · Mar 27, 2007

Hi

These errors may be caused by a physical factor too...maybe the harddrive is getting old...

You could do these steps from this list and see if that helps --> Link
- Check for disk errors
- Check for damaged, altered or missing critical system files
- Defrag your system

Then we'll need to clear your system restore from the malware that was left to there.

Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.
When you are warned that all existing Restore Points will be deleted, click Yes to continue.

Restart your computer normally.
Then we'll enable system restore again.

Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Uncheck beside Turn off System Restore on all Drives, and click Apply.
Close the window

bfindlay · Mar 31, 2007

Viruses still with me.

Mr Jak - tried all that (except the defrag bit). Turned OFF system restore, then rebooted. Ran the chkdsk on all volumes. THen ran kaspersky again last night. Here is the result.

Saturday, March 31, 2007 6:43:16 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/03/2007
Kaspersky Anti-Virus database records: 289353
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics
Total number of scanned objects 563958
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 02:58:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012007033020070331\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\Free Download Manager\tic54.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF1F32.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ACER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{75FDFD2C-0696-4B51-B907-DCCBFCF53666}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\ZLT022d7.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT022db.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP3\A0000690.EXE WiseSFX: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

So, either the positives on drive F are false, or we need some other strategy to get rid of em. Can I manually delete these from the registry using regedit?

Explorer.exe using 99% CPU

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member