0

Hi guys,

I know there are a lot of post on explorer.exe crashing but what I have noticed is that everybody's problem is slightly different than mine.

I have an asus EeePC 1000H XP Home Ed Service Pack 3 1.60 GHz

Computer was running fine until I plugged in my Blackjack II smartphone to sync. I started Microsoft Activesync and that is where it all began (I sync my phone on a weely basis with no issues).

The computer did not recognize the phone and when I tried to fix the errror it wouldn't. I tried to uninstall and wasn't able to due to uninstaller something(which I have now managed to fix I think).

If I run IE normally (I am using IE in safemode now with no issues) internet connection will be lost and if I try to fiddle with it the computer will crash and restart on its own (with issues).

I saw several people run the Hijackthis program so I installed it, ran it and these are the results:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:38:42 AM, on 8/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Aracely\Local Settings\Temporary Internet Files\Content.IE5\NIA2FQWD\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5677 bytes

I managed to get Windows One Livecare working and it came up with 4 items:

Exploit:Java/CVE-2008-5353.EE
Exploit:Java/CVE-2008-5353.GA
Exploit:Java/CVE-2009-3867.CF
TrojanDownloader:Java/OpenConnection.BB

All have been removed but problem persists. I try to run Registry Booster2010 and it gets stuck. Task Manager says it is running but it seems to be frozen and then crash... a fast flash of the dreaded blue screen followed by a black screen and restart.

When I try to run a windows uptdate, it sort of opens IE8 and just stays in the initializing mode showing other backgrounds.

Can anyone shed some light?

Thanks :)

2
Contributors
15
Replies
16
Views
7 Years
Discussion Span
Last Post by gerbil
0

Hello Aracely,
try not to run programs like Registry Booster when you think your sys may have an infection. And you most likely still do. Please re-run Hijackthis in Normal mode; in Safe mode it is of vastly reduced usefulness because many malwares are only started by processes in the Normal mode. But do this before you re-run Hijackthis :
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Edited by gerbil: n/a

0

I do apologize I forgot to mention that I ran malawarebytes yesterday and today and found nothing. Windows Live onecare is the only one that found something and removed it.

As for running hijack here are the new results:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:46:19 PM, on 8/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Uniblue\RegistryBooster 2010\registrybooster.exe
C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\MobileMeServices.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Aracely\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6781 bytes

0

If an uninstaller bugs out, you can always reinstall the software and try to uninstall again.
The hijackthis log run in normal mode shows no unwanted entries. From what you say, I can have no idea of the problem... a first suggestion would be to run the file checker to correct corruption in monitored files. Go Start, run, enter...
sfc /checknow
You most likely will be asked to point to the i386 folder, eg on an installation cd or a folder in your sys.
But there is something else lurking which starts in normal mode and disturbs IE and your networking. After sfc we can work on that.

0

If an uninstaller bugs out, you can always reinstall the software and try to uninstall again.
The hijackthis log run in normal mode shows no unwanted entries. From what you say, I can have no idea of the problem... a first suggestion would be to run the file checker to correct corruption in monitored files. Go Start, run, enter...
sfc /checknow
You most likely will be asked to point to the i386 folder, eg on an installation cd or a folder in your sys.
But there is something else lurking which starts in normal mode and disturbs IE and your networking. To see the blue screen error codes go to CP > System > Advanced tab > Startup n Recovery Settings, uncheck Automatically Restart.
Report the error code and any subsystem mentioned.

0

Hi gerbil, thanks for replying!

Someone told me to delete files:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

So I did and it seems that it made things worst! Now I can only log on on safe mode as it does not let me log on normally before crashing =/ And if it manages to "load" without crashing it stops at the desktop with no icons

When I run the sfc /checknow a black screen pops up for a millisecond and disappears.

0

Hmm.. the first one was just a safe, normal Yahoo orphan adrift in a registry sea... no harm.
The others are Java related [next time you update Java it will fix itself] and an Acrobat IE add-on. Normally you remove ActiveX add-ons from IE > Tools > Manage Add-ons - that way you properly unregister the dlls etc.
sfc /checknow.... profuse apologies, too many commands to remember... it is sfc /scannow. Grr.... when it completes it will just close, no fanfare. Luckily, you can run it from Safe mode also.

0

Hmm.. the first one was just a safe, normal Yahoo orphan adrift in a registry sea... no harm.
The others are Java related [next time you update Java it will fix itself] and an Acrobat IE add-on. Normally you remove ActiveX add-ons from IE > Tools > Manage Add-ons - that way you properly unregister the dlls etc.
sfc /checknow.... profuse apologies, too many commands to remember... it is sfc /scannow. Grr.... when it completes it will just close, no fanfare. Luckily, you can run it from Safe mode also.

I ran combofix and later ran Eusing free registry cleaner and voila. system seems to be working great once again (maybe even better)

0

:). Combofix was to be my next step, because I believed that One-Care had not found all the malware. Could I see the log, please?

0

:). Combofix was to be my next step, because I believed that One-Care had not found all the malware. Could I see the log, please?

Sure!! the whole thing or just parts? The log is LONG! Very LONG lol

0

...and then it was time for bed.
Length is not a problem. Use Advanced editor to attach it, the Combofix log.

0

...and then it was time for bed.
Length is not a problem. Use Advanced editor to attach it, the Combofix log.

Good morning!!

Ok so I have attached the file (wasn't aware I was able to do so)...

I was amazed how many errors Eusing found when I ran it (1282). I had used Registry Booster not to long ago and couldn't believe I had so many registry problems.

Combofix is the first time I use it but loved it!

Attachments
ComboFix 10-08-03.04 - Aracely 08/04/2010  13:18:28.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.522 [GMT 2:00]
Running from: c:\documents and settings\Aracely\My Documents\Downloads\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((   Files Created from 2010-07-04 to 2010-08-04  )))))))))))))))))))))))))))))))
.

2010-08-04 09:46 . 2010-08-04 09:46	--------	dc----w-	C:\VundoFix Backups
2010-08-03 08:53 . 2010-08-03 08:53	--------	dcsh--w-	c:\documents and settings\Administrator\PrivacIE
2010-08-03 08:52 . 2010-08-03 08:52	--------	dc----w-	c:\documents and settings\Administrator\Application Data\Uniblue
2010-07-25 14:05 . 2010-07-25 14:06	5037504	-c--a-w-	c:\documents and settings\Aracely\Application Data\Uniblue\RegistryBooster 2010\_temp\ub.exe
2010-07-22 19:58 . 2010-07-22 19:58	--------	dc----w-	c:\windows\XSxS
2010-07-22 19:58 . 2010-07-22 19:58	--------	dc----w-	c:\program files\Xenocode
2010-07-22 19:58 . 2010-07-22 19:58	--------	dc----w-	c:\documents and settings\Aracely\Local Settings\Application Data\Xenocode
2010-07-22 19:56 . 2010-07-22 21:56	--------	dc----w-	c:\program files\iPod 2 iPod

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 02:02 . 2009-01-30 23:13	--------	dc----w-	c:\program files\Microsoft Windows OneCare Live
2010-08-03 11:16 . 2010-02-26 22:04	--------	dc----w-	c:\documents and settings\Aracely\Application Data\QuickScan
2010-08-03 09:41 . 2010-02-26 11:34	--------	dc----w-	c:\documents and settings\Administrator\Application Data\QuickScan
2010-08-02 23:43 . 2010-04-27 14:31	1324	-c--a-w-	c:\windows\system32\d3d9caps.dat
2010-08-02 17:06 . 2009-05-16 02:10	--------	dc----w-	c:\program files\Microsoft ActiveSync
2010-08-01 21:18 . 2009-06-13 13:24	--------	dc----w-	c:\documents and settings\Aracely\Application Data\uTorrent
2010-07-25 15:34 . 2009-06-13 13:25	--------	dc----w-	c:\program files\uTorrent
2010-07-25 14:12 . 2010-02-07 15:12	--------	dc----w-	c:\documents and settings\Aracely\Application Data\Uniblue
2010-07-25 14:11 . 2010-02-07 15:34	--------	dc----w-	c:\program files\Uniblue
2010-07-22 23:08 . 2010-02-09 20:11	--------	dc----w-	c:\documents and settings\Aracely\Application Data\Image Zone Express
2010-07-22 00:10 . 2009-01-31 10:50	--------	dc----w-	c:\documents and settings\Aracely\Application Data\Skype
2010-07-21 23:18 . 2009-02-22 01:19	--------	dc----w-	c:\documents and settings\Aracely\Application Data\skypePM
2010-07-15 21:55 . 2009-01-31 04:09	--------	dc----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-05 08:25 . 2009-01-31 02:19	--------	dc----w-	c:\documents and settings\Aracely\Application Data\Apple Computer
2010-07-03 17:45 . 2010-07-03 17:43	--------	dc----w-	c:\program files\iTunes
2010-07-03 17:44 . 2010-07-03 17:44	--------	dc----w-	c:\program files\iPod
2010-07-03 17:43 . 2009-01-31 02:16	--------	dc----w-	c:\program files\Common Files\Apple
2010-07-03 17:34 . 2010-07-03 17:34	--------	dc----w-	c:\program files\Bonjour
2010-07-03 17:27 . 2010-07-03 17:27	72504	-c--a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-19 00:56 . 2009-01-30 23:21	--------	dc----w-	c:\program files\Messenger Plus! Live
2010-06-14 14:31 . 2008-08-09 14:47	744448	-c--a-w-	c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 05:31 . 2009-02-19 22:38	--------	dc----w-	c:\program files\Microsoft Silverlight
2010-06-11 19:21 . 2009-02-21 06:26	--------	dc----w-	c:\documents and settings\Aracely\Application Data\VSO
2010-06-11 14:51 . 2010-06-11 14:51	3055600	-c--a-w-	c:\documents and settings\Aracely\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 14:36 . 2010-06-11 14:36	275952	-c--a-w-	c:\documents and settings\Aracely\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-18 14:35 . 2010-05-18 14:35	91424	-c--a-w-	c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35	107808	-c--a-w-	c:\windows\system32\dns-sd.exe
2008-05-07 23:34 . 2008-08-30 01:27	15523560	-c--a-w-	c:\program files\Install AiGuruU1 Skype Phone.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-17 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-20 94208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-2 604776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 14:04	39792	-c--a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 00:02	2356088	-c--a-r-	c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-19 19:03	136176	-c--atw-	c:\documents and settings\Aracely\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-12-20 06:08	159744	----a-w-	c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-26 11:06	4351216	-c--a-w-	c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-02-08 12:56	3883856	-c--a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17	180224	-c--a-w-	c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 22:47	25623336	----a-w-	c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"WSearch"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\documents and settings\Aracely\Application Data\Facebook\facebook.exe"= c:\documents and settings\Aracely\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Do
0

That is a nice, clean Combofix log. Nice work!
Registry cleaners.... urg. They all use different [the best in the business] detection/cleaning engines. Your registry is huge.... mine occupies 28MB the last time i looked..if you consider each value might contain only a few or possibly a few hundred bytes, each subkey a few names, then that allows for many tens of thousands of keys, possibly a couple hundred thou, and approaching a million data names. Depending, of course.
Your registry contains entries that will be cycled out as new info arrives into those areas, all cleaners love to point out that they have found those cos there are hundreds of such things... every search, every file you delete, move... and unused file suffixes. Then they try to find entries which point to files which no longer exist... data ones are easy, with applications they fail miserably. And occasionally, they tell you to remove something absolutely vital.
Crash.

Edited by gerbil: n/a

0

I'm just glad that my laptop is back in tip top shape (with assistance of course) =)

0

That was certainly a lot of runs you did with Combofix. It would have been good to have seen the first log, the last is fairly useless in telling me what you had. Anyway... run this to cleanup and remove Combofix:
combofix /u
Cheers.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.