0

For the past year I've been putting up with this really annoying problem where the process 'iexplore.exe' opens up in the background. It does not cause any slow downs in my computer but is extremely frustrating when I'm in the middle of playing a game and it opens, minimizing to the desktop. I have run multiple virus, spybot and ad-ware scans and although occasionally something is found, this problem never goes away :(

5
Contributors
24
Replies
25
Views
8 Years
Discussion Span
Last Post by gerbil
0

Have you ran MSconfig and removed all unnecessary start up items from the start up tab? That would be the first thing to try if you have already ran AV and spyware software. Which Spyware program did you run? I find that Spybot search and destroy works the best.

I would also download and install a free program called Glary Utilities. Click on the one click maintenance and make sure all the check boxes are check and let it go. Should help your problem!!!

0

What is the page trying to open to in IE

Sorry, I forgot to mention that IE is not visible. I only know that it is open because when I get a random minimize I will quickly cntrl+ALT+DEL and spot it in the task manager list. It will also sometimes stack up and if I do not close the process I can end up with 4-5 iexplore.exe processes running at the same time.
I should probably also mention that this problem started occurring after curing the virus 'smitfraud' using the program 'SmitFraudFix'.

I am looking into those things mentioned by slasher49er.

0

Have you ran MSconfig and removed all unnecessary start up items from the start up tab? That would be the first thing to try if you have already ran AV and spyware software. Which Spyware program did you run? I find that Spybot search and destroy works the best.

I would also download and install a free program called Glary Utilities. Click on the one click maintenance and make sure all the check boxes are check and let it go. Should help your problem!!!

I would not know what is necessary and what isn't in the start up items and so was unable to mess around in MSconfig. I ran the Glary Utilities program you mentioned but the problem persists. I have used many many anti virus and spyware detections programs (Spybot S&D included), but cannot remember the names of them all.

0

For the past year I've been putting up with this really annoying problem where the process 'iexplore.exe' opens up in the background. It does not cause any slow downs in my computer but is extremely frustrating when I'm in the middle of playing a game and it opens, minimizing to the desktop. I have run multiple virus, spybot and ad-ware scans and although occasionally something is found, this problem never goes away :(

Hello,

My Favorites folder is empty. When I try to add something to it, I get a mesage that the locations is unavailable and that is is somwhere else. Help.

0

So you should check ms config as mentioned above also perform the following steps.

-click start and open run in vista you can type run in the search box then open run and type regedit click file and search for run inside the run folder remove anything suspicious "be careful in the registry"

-then click start and then all program and remove everything from the startup folder.

-run a search of you c: drive looking for .vb i beilieve the program doing this is writen in vb because vb often cant close IE explorer handles this would be why you see many in task manager then remove any files with strange names that appear in the search.

0

For a far more complete listing of startups you should use the Misc Tools section of Hijackthis. Msconfig gives you results from just a few registry keys.

0

Okay so I've turned everything off and even ran in diagnostic mode and still iexplore.exe is open on startup and so can assume that it will do its random opening during gaming. I did follow the instructions of gurukid22 and went into the registry but as I said before I don't know what is considered suspicious and what isn't and the same goes for the .vb files guru told me to look for.
Would it help if I posted a HJT log or something?
Thanks for any help in advance.

0

Download hijack this through google then run a scan a post the log here we will tell you what to remove.

0

Here is the HJT log requested.
Hope it was the right scan :p

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:21 PM, on 10/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra BigPond Home Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {3A6AC8B5-6571-476F-A050-CD9E577D07CC} - C:\WINDOWS\system32\browseuiad.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8763 bytes

0

Check to see that you have this file in your sys: c:\windows\system32\browseui.dll -report back on this.
Virus Scan:
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination [use the Choose button to browse to the file]:
C:\WINDOWS\system32\browseuiad.dll

I wish to see if it is a delf variant. Whatever, this will remove it and clean the key:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

0

Check to see that you have this file in your sys: c:\windows\system32\browseui.dll -report back on this.

I do have this in there.

==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination [use the Choose button to browse to the file]:
C:\WINDOWS\system32\browseuiad.dll

Nothing found.

==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.

Nothing found here either:

Malwarebytes' Anti-Malware 1.38
Database version: 2406
Windows 5.1.2600 Service Pack 2

11/07/2009 10:18:16 PM
mbam-log-2009-07-11 (22-18-16).txt

Scan type: Quick Scan
Objects scanned: 99139
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have actually previously used Malwarebytes' Anti-Malware and noticed that I did have a log from late last year that had two instances of 'Roguespymaxx' quarantined and also 2 traces of malware infected files. Not sure if that is useful information to you but I thought I'd throw it out there and let you decide :P

0

Okay, thanks for that report. Because browseuiad.dll is unknown and its CLSID unregistered you should do the following:
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O22 - SharedTaskScheduler: Component Categories cache daemon preloader - {3A6AC8B5-6571-476F-A050-CD9E577D07CC} - C:\WINDOWS\system32\browseuiad.dll

Then delete C:\WINDOWS\system32\browseuiad.dll
Say if the IE openings continue.

0

When trying to delete browseuiad.dll I get this error message: 'Cannot delete browseuiad: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.'

0

You would need to close all browsers [well, IE uses it... not opera or firefox] and also explorer, firstly. Delete via cmd.exe :
cd\
del /f /s /q /a C:\WINDOWS\system32\browseuiad.dll
Or there is this:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Browse to the file, rclick it, choose Unlocker, remove any hooks...[ If the file or folder is locked then a window will appear with a list of processes locking the file or folder. Select the locks and click Unlock and you are done. It is recommended to Unlock wisely and to close open processes locking files or folder if any, but if only Explorer.exe is the culprit, do not hesitate!]
...choose Delete, and delete it.
You can then restart explorer via Task Manager [File, New Task... explorer.exe]

0

Problem solved!

I ended up using cmd.exe like you suggested and used task manager to simply end the explore.exe process (probably not the best way to close it but it worked). The random opening of iexplore.exe in the background has ceased and the random minimizing along with it :icon_cheesygrin:

Thank you so much for you help gerbil, your a true legend!

One final question: What was browseuiad.dll?

0

Good stuff, bushoi.
You can close and open explorer.exe at will, it is nothing special. Think of it as similar to IE. Well, it doe share a lot of functions.
browseuiad.dll seemed to be a modified version of browseui.dll, which is a M$ library of functions and other resources for browser [explorer is a browser also..] user interface management.
Your malware included it so as to present its wares, but its controlling software had already been removed. When it popped it simply had nothing to present....

0

It would seem I may have spoken to soon as I noticed when I came back to my computer after a few hours there was an iexplore.exe process again in the task manager. Checking the system32 folder I found browseuiad.dll had returned :@
I have now deleted it a second time but get the feeling it will return.

0

It will. If it returned once.... Okay, there are files there that I cannot see, to protect and regenerate malware. I suspect a rootkit, and this tool will flush out most problems:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

0

Just before starting the scan I was told to install that recovery console system but accidentally hit 'okay' before my net could reconnect :(
Wasn't sure if I should do another scan with the recovery console system installed... anyway, here is the scan report:

ComboFix 09-07-12.03 - User 13/07/2009 18:06.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1574 [GMT 10:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\OPTIONS\CABS\_desktop.ini
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-11 12:13 . 2009-06-17 01:27 38160 ----a-r- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 12:13 . 2009-07-11 12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 12:13 . 2009-06-17 01:27 19096 ----a-r- c:\windows\system32\drivers\mbam.sys
2009-07-10 12:57 . 2009-07-11 01:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-07 18:17 . 2009-06-26 00:36 1008896 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-07 17:15 . 2009-07-07 17:15 -------- d-----w- c:\documents and settings\User\Application Data\GlarySoft
2009-07-07 17:09 . 2009-07-07 17:09 -------- d-----w- c:\program files\Glary Utilities
2009-07-05 11:06 . 2009-07-05 11:06 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PunkBuster
2009-07-05 04:59 . 2009-07-05 04:58 2054424 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-07-05 04:59 . 2009-07-05 04:58 2167576 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgresf.dll
2009-07-05 04:59 . 2009-06-24 06:45 327688 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgldx86.sys
2009-07-05 04:59 . 2009-06-24 06:45 906520 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgemc.exe
2009-07-05 04:59 . 2009-06-24 06:45 3402008 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgui.exe
2009-07-05 04:59 . 2009-06-24 06:45 1204504 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgabout.dll
2009-07-05 04:59 . 2009-06-24 06:45 337176 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avglogx.dll
2009-07-05 04:59 . 2009-06-24 06:45 829208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcfgx.dll
2009-07-05 04:59 . 2009-06-24 06:45 3298072 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\setup.exe
2009-07-05 04:57 . 2009-06-24 06:12 1454360 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2009-07-05 04:57 . 2009-06-24 06:12 1085208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.exe
2009-06-26 13:31 . 2009-06-26 13:31 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AVG Security Toolbar
2009-06-24 06:46 . 2009-06-24 06:45 832144 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\AVGToolbarInstall.exe
2009-06-24 06:45 . 2009-07-07 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-24 06:45 . 2009-06-24 06:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-16 17:03 . 2009-07-13 05:42 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-16 14:26 . 2009-06-16 14:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 02:23 . 2007-12-25 09:57 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-13 02:22 . 2007-12-25 09:57 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-13 01:22 . 2006-12-31 15:22 16608 ----a-w- c:\windows\gdrv.sys
2009-07-12 09:56 . 2008-11-02 08:11 -------- d-----w- c:\program files\Warcraft III
2009-07-10 13:07 . 2008-02-28 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-05 11:06 . 2007-12-25 09:57 75064 ----a-r- c:\windows\system32\PnkBstrA.exe
2009-07-05 04:58 . 2009-04-21 05:00 335752 ----a-r- c:\windows\system32\drivers\avgldx86.sys
2009-06-24 06:45 . 2009-04-21 05:00 11952 ----a-r- c:\windows\system32\avgrsstx.dll
2009-06-24 06:45 . 2009-04-21 05:00 27784 ----a-r- c:\windows\system32\drivers\avgmfx86.sys
2009-06-08 01:23 . 2007-09-25 18:31 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2009-06-06 00:02 . 2009-06-06 00:02 -------- d-----w- c:\program files\Ubisoft
2009-06-06 00:02 . 2006-12-31 15:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 08:07 . 2006-12-31 16:17 -------- d-----w- c:\program files\World of Warcraft
2009-05-29 18:55 . 2007-09-25 17:30 -------- d-----w- c:\program files\Azureus
2009-05-04 01:55 . 2009-04-21 05:00 108552 ----a-r- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 11:13 . 2007-09-26 10:22 107888 ----a-r- c:\windows\system32\CmdLineExt.dll
2009-04-22 18:56 . 2006-12-31 23:32 19376 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 00:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-11-29 258048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 136600]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-14 13680640]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Launch LgDevAgt"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2008-11-06 358920]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2008-11-06 2816520]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2008-11-06 1548296]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Diamondback"="c:\program files\Razer\Diamondback 3G\razerhid.exe" [2007-08-01 147456]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-18 77824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-27 16875008]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-14 1657376]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2008-06-19 2808832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-24 06:45 11952 ----a-r- c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\NetMeter

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Legends\\StrongholdLegends.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:Diablo 2
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/04/2009 3:00 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/04/2009 3:00 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [21/04/2009 3:00 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [21/04/2009 3:00 PM 298776]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [23/01/2009 1:06 PM 80392]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [3/02/2009 12:39 AM 13225]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PNKBSTRB
*NewlyCreated* - PNKBSTRK
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 00:20]

2009-07-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-07-07 06:55]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.bigpond.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\xzjvews6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?sourceid=navclient-ff&ie=UTF-8&rlz=1B3DVFC_enAU242AU243
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 18:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1383384898-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:07,5f,3c,ce,f9,50,ed,01,52,a8,77,37,1f,80,e2,dd,82,ec,0c,0c,f7,a7,26,
45,b5,75,bd,a4,90,27,74,7c,80,36,e8,b6,5d,3e,66,6a,a4,bf,97,4d,3b,a4,82,74,\
"??"=hex:25,65,bb,27,8b,92,55,34,10,3f,d9,49,2f,0e,31,37

[HKEY_USERS\S-1-5-21-1659004503-1383384898-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:e2,60,37,54,a4,90,e1,42,bf,ea,6d,3b,3a,32,a6,a2,f0,24,e6,6e,26,
9a,62,5c,0a,a6,62,8a,0d,55,f8,27,ae,53,07,e8,1e,be,d6,3e,3f,0a,83,02,27,71,\
"rkeysecu"=hex:e0,54,41,8e,97,1f,4c,69,53,47,06,ea,08,ba,32,11
.
Completion time: 2009-07-13 18:12
ComboFix-quarantined-files.txt 2009-07-13 08:12

Pre-Run: 122,519,105,536 bytes free
Post-Run: 122,553,536,512 bytes free

232 --- E O F --- 2008-11-02 16:53

0

Good morning.
Installing Recovery Console is a precaution in case Combofix breaks your sys. If you have a bootable XP cd you do not need it on your hard drive- it is then just a convenience.
This one, c:\windows\OPTIONS\CABS\_desktop.ini is associated with various worms, virii. The other deletions were of SMitfraudfix files.
I see no other problems there.... you certainly threw some stuff at it.. :)
You can remove that AVG8 browser toolbar if you so wish... a space waste.
Tell me how things are, please.

0

Over a day has passed and still haven't had iexplore open in background. Thanks again gerbil :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.