DaniWeb IT Discussion Community
1 2 Last »
Show 40 post(s) from this thread on one page

DaniWeb IT Discussion Community (http://www.daniweb.com/forums/index.php)
-   Windows NT / 2000 / XP (http://www.daniweb.com/forums/forum10.html)
-   -   Pls help! - Desktop/Taskbar disappear - 7 instances of svchost (http://www.daniweb.com/forums/thread97627.html)

keenasmustard Nov 20th, 2007 8:12 am
Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
Hi there, I've been having some problems on startup (Win XP) whereby on entering Windows after about 10-20 seconds the desktop and taskbar simply disappears. Sometimes it reappears after another 10-20 seconds but then it usually goes again for good.

If I open a program before it disappears the first time, such as IE or TuneUp Utils sometimes the desktop/taskbar stay longer (about 5 mins). It's very odd.

I scanned with Ad-aware Personal and Kaspersky. Found some trojans and deleted them. One of them came back a few more times "iifggde.dll" but it hasn't resurfaced again after I disinfected with KAV.

I have also noticed that multiple (around 7) svchost.exe processes keep coming up as you can see from the HJ log. Please, if anyone can find a solution to this I would be extremely grateful! I'm in the middle of a massive project which has now ceased. Will keep lurking around in the meantime.

Thanks,
Keenan

----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:00:09 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mrofinu1044.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\COMMON~1\SKS~1\chkdsk.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.national.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Ohnw] "C:\PROGRA~1\COMMON~1\SKS~1\chkdsk.exe" -vt yazb
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bytescout SWF To Video Scout - {ED67D390-1DBC-4A3A-A92E-289D4729335B} - C:\Program Files\Bytescout SWF To Video Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/n...tialSetup1.0.0.8-2.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/...eShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/...U/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1115858167930
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/mi...site.cab?1133160044023
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...atsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/...ry/ZIntro.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...sPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live Mail desktop\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Suspishio Nov 20th, 2007 8:46 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
I'm bothered by c:\windows\mrofinu1044.exe .

Does that file have any author's signaure?

When did it appear? At the same time as the trojan?

Be suspicious of that file and any file of similar/identical size created within a few seconds of its creation time if that coincided with your trojan.

keenasmustard Nov 20th, 2007 9:07 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
yes i noticed that one too. thought it best to confirm with someone else who knows what's going on. Should I fix with HJT??

After reading this thread on proper use of HJT (http://www.daniweb.com/forums/thread28196.html), here is a more up to date log. Also following that I have included a list of the running DLL's using Process Explorer (hopefully you can read it!)

ALSO, have recently found out that through Task Manager I can get acces to explorer by creating a new task. This works for a sufficient enough time for me to gain access to anything i may need (~10mins!)

----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:42:14 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\COMMON~1\SKS~1\chkdsk.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.windowsitpro.com/web/f...&enterthread=y
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Ohnw] "C:\PROGRA~1\COMMON~1\SKS~1\chkdsk.exe" -vt yazb
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Bytescout SWF To Video Scout - {ED67D390-1DBC-4A3A-A92E-289D4729335B} - C:\Program Files\Bytescout SWF To Video Scout\flashextract.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live Mail desktop\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

----------------------------

Process: explorer.exe Pid: 656

Name Description Company Name Version
ctype.nls
index.dat
index.dat
index.dat
lgscroll.dll
locale.nls
sortkey.nls
sorttbls.nls
unicode.nls
WinStylerThemeHelper.dll
miscr3.dll Kaspersky Anti-Virus Ring 3 Hooker Helper Kaspersky Lab 7.00.0000.0119
scrchpg.dll Script Checker Kaspersky Lab 7.00.0000.0119
AcGenral.DLL Windows Compatibility DLL Microsoft Corporation 5.01.2600.2180
actxprxy.dll ActiveX Interface Marshaling Library Microsoft Corporation 6.00.2900.2180
ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180
ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000
BatMeter.dll Battery Meter Helper DLL Microsoft Corporation 6.00.2900.2180
browselc.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.2180
BROWSEUI.dll Shell Browser UI Library Microsoft Corporation 6.00.2900.3059
CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2982
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2982
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180
COMRes.dll Microsoft Corporation 2001.12.4414.0258
credui.dll Credential Manager User Interface Microsoft Corporation 5.01.2600.2180
CRYPT32.dll Crypto API32 Microsoft Corporation 5.131.2600.2180
CRYPTUI.dll Microsoft Trust UI Provider Microsoft Corporation 5.131.2600.2180
CSCDLL.dll Offline Network Agent Microsoft Corporation 5.01.2600.2180
cscui.dll Client Side Caching UI Microsoft Corporation 5.01.2600.2180
davclnt.dll Web DAV Client DLL Microsoft Corporation 5.01.2600.2180
drprov.dll Microsoft Terminal Server Network Provider Microsoft Corporation 5.01.2600.2180
DSOUND.dll DirectSound Microsoft Corporation 5.03.2600.2180
DUSER.dll Windows DirectUser Engine Microsoft Corporation 5.01.2600.2180
explorer.exe Windows Explorer Microsoft Corporation 6.00.2900.3156
GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3159
gdiplus.dll Microsoft GDI+ Microsoft Corporation 5.01.3102.2180
ieframe.dll Internet Explorer Microsoft Corporation 7.00.6000.16544
ieframe.dll.mui Internet Explorer Microsoft Corporation 7.00.6000.16414
iertutil.dll Run time utility for Internet Explorer Microsoft Corporation 7.00.6000.16544
IMAGEHLP.dll Windows NT Image Helper Microsoft Corporation 5.01.2600.2180
IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.2180
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.3119
LINKINFO.dll Windows Volume Tracking Microsoft Corporation 5.01.2600.2751
midimap.dll Microsoft MIDI Mapper Microsoft Corporation 5.01.2600.2180
MLANG.dll Multi Language Support DLL Microsoft Corporation 6.00.2900.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
MSACM32.dll Microsoft ACM Audio Filter Microsoft Corporation 5.01.2600.2180
msacm32.drv Microsoft Sound Mapper Microsoft Corporation 5.01.2600.0000
MSASN1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.01.2600.2180
msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.01.2600.2180
MSGINA.dll Windows NT Logon GINA DLL Microsoft Corporation 5.01.2600.2180
msi.dll Windows Installer Microsoft Corporation 3.01.4000.4039
MSIMG32.dll GDIEXT Client DLL Microsoft Corporation 5.01.2600.2180
mslbui.dll LangageBar Add In Microsoft Corporation 5.01.2600.2180
MSVCP71.dll Microsoft® C++ Runtime Library Microsoft Corporation 7.10.3077.0000
MSVCR71.dll Microsoft® C Runtime Library Microsoft Corporation 7.10.3052.0004
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180
mydocs.dll My Documents Folder UI Microsoft Corporation 6.00.2900.2180
NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976
NETRAP.dll Net Remote Admin Protocol DLL Microsoft Corporation 5.01.2600.2180
NETSHELL.dll Network Connections Shell Microsoft Corporation 5.01.2600.2180
NETUI0.dll NT LM UI Common Code - GUI Classes Microsoft Corporation 5.01.2600.2180
NETUI1.dll NT LM UI Common Code - Networking classes Microsoft Corporation 5.01.2600.2180
Normaliz.dll Unicode Normalization DLL Microsoft Corporation 6.00.5441.0000
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180
ntlanman.dll Microsoft® Lan Manager Microsoft Corporation 5.01.2600.2180
NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180
ntshrui.dll Shell extensions for sharing Microsoft Corporation 5.01.2600.2180
ODBC32.dll Microsoft Data Access - ODBC Driver Manager Microsoft Corporation 3.525.1117.0000
odbcint.dll Microsoft Data Access - ODBC Resources Microsoft Corporation 3.525.1117.0000
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726
OLEAUT32.dll Microsoft Corporation 5.01.2600.3139
OLEPRO32.DLL Microsoft Corporation 5.01.2600.2180
PortableDeviceApi.dll Windows Portable Device API Components Microsoft Corporation 5.02.5721.5145
PortableDeviceTypes.dll Windows Portable Device (Parameter) Types Component Microsoft Corporation 5.02.5721.5145
POWRPROF.dll Power Profile Helper DLL Microsoft Corporation 6.00.2900.2180
PSAPI.DLL Process Status Helper Microsoft Corporation 5.01.2600.2180
RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.3173
rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation 5.01.2600.2161
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180
SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180
Secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180
shdoclc.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.2180
SHDOCVW.dll Shell Doc Object and Control Library Microsoft Corporation 6.00.2900.3059
SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241
ShimEng.dll Shim Engine DLL Microsoft Corporation 5.01.2600.2180
SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.3059
SSDPAPI.dll SSDP Client API DLL Microsoft Corporation 5.01.2600.2180
stobject.dll Systray shell service object Microsoft Corporation 5.01.2600.2180
SXS.DLL Fusion 2.5 Microsoft Corporation 5.01.2600.3019
themeui.dll Windows Theme API Microsoft Corporation 6.00.2900.2180
tsappcmp.dll Terminal Services Application Compatibility DLL Microsoft Corporation 5.01.2600.0000
upnp.dll Universal Plug and Play API Microsoft Corporation 5.01.2600.2180
upnpui.dll UPNP Tray Monitor and Folder Microsoft Corporation 5.01.2600.2180
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 7.00.6000.16544
urlmon.dll.mui OLE32 Extensions for Win32 Microsoft Corporation 7.00.5730.0011
USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.3099
USERENV.dll Userenv Microsoft Corporation 5.01.2600.2180
UxTheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wdmaud.drv WDM Audio driver mapper Microsoft Corporation 5.01.2600.2180
webcheck.dll Web Site Monitor Microsoft Corporation 7.00.6000.16544
WINHTTP.dll Windows HTTP Services Microsoft Corporation 5.01.2600.2180
WININET.dll Internet Extensions for Win32 Microsoft Corporation 7.00.6000.16544
WINMM.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
WINSTA.dll Winstation Library Microsoft Corporation 5.01.2600.2180
WINTRUST.dll Microsoft Trust Verification APIs Microsoft Corporation 5.131.2600.2180
WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
WPDShServiceObj.dll Windows Portable Device Shell Service Object Microsoft Corporation 5.02.5721.5145
WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
WTSAPI32.dll Windows Terminal Server SDK APIs Microsoft Corporation 5.01.2600.2180
WZCSAPI.DLL Wireless Zero Configuration service API Microsoft Corporation 5.01.2600.2180
xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180
ConnectionManager_eng.nlr Connection Manager NLR Nokia 6.81.0046.0001
PCSCM.dll PCSCM Nokia 6.81.0068.0000
PhoneBrowser.dll Phone Browser Nokia 6.81.0046.0001
PhoneBrowser_eng.nlr Nokia Phone Browser language resources Nokia 6.81.0029.0000
PhoneBrowser_Nokia.ngr Nokia Phone Browser graphics resources Nokia 6.81.0011.0000
ConnAPI.DLL Nokia Connectivity API Nokia. 6.81.0062.0000
nview.dll NVIDIA nView Desktop and Window Manager 110.60 NVIDIA Corporation 6.14.0010.11060
nvwddi.dll NVIDIA nView Display Driver Interface Lib, Version 93.71 NVIDIA Corporation 6.14.0010.9371

keenasmustard Nov 20th, 2007 9:20 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
I have deleted the suspicious file c:\windows\mrofinu1044.exe upon seeing that it had no authentication. Also in Kaspersky I have noticed that since I have had this problem there has been countless blocks and unblocks of explorer. I added explorer to trusted apps now going to reboot.

Suspishio Nov 20th, 2007 11:09 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
C:\PROGRA~1\COMMON~1\SKS~1\chkdsk.exe
what's this? Was it created around the time of the other file you deleted? When was its directory created?

Looks dodgy to me.

The SVCHosts are fine and normal although there may be an underlying dodgy DLL being run.

When you've dealt with this potentially rogue chkdsk, I strongly recommend that you REPAIR windows from the windows CD. There's no accounting for windows files that have been hijacked seeing as I can't find the usual clutch of tell-tale dlls in your list (like the iifggde.dll you deleted).

keenasmustard Nov 20th, 2007 8:28 pm
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
I have downloaded and installed SuperAntispyware and it removed over 160 malwares. Chkdsk seems to be gone butexplorer.exe still crashes causing the desktop icons and taskbar to disappear. Significant slowing occurs too which suggests there are processes running I don't know about. Mozilla Firefox has also has a security error upon starting.

schillertrade Nov 20th, 2007 10:18 pm
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
Quote:
Originally Posted by keenasmustard (Post 474643)
I have downloaded and installed SuperAntispyware and it removed over 160 malwares. Chkdsk seems to be gone butexplorer.exe still crashes causing the desktop icons and taskbar to disappear. Significant slowing occurs too which suggests there are processes running I don't know about. Mozilla Firefox has also has a security error upon starting.
Try creating a new user profile (as an administrator) on the computer and log in under the new user. See if you are still having the problem.

Suspishio Nov 21st, 2007 4:11 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
The anti-malware programs get rid (in theory) of non-active trojans etc, but not the one that's actually running and which re-spawns on boot up. There is no short route out of your predicament.

You have two method choices:

1/
The incremental (and recursive) procedure that you can glean from any post involving cruncjie in the virus forum.

2/
My own method posted tere on 3-Sep-07 (search under the mis-spelt term "Virtunonde").


You need now to be methodical and determined. The only shortcut I can think of that MIGHT work, is to Repair Windows in case that is the only problem left, which I think unlikely.

schillertrade Nov 21st, 2007 2:44 pm
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
If the threat has already been removed and has left the profile corrupted, you may experience this same behavior. I have been able to repair this problem by creating a new profile and moving the documents and settings from the corrupt profile to the new one, IF the threat has already been removed.

keenasmustard Nov 29th, 2007 8:16 am
Re: Pls help! - Desktop/Taskbar disappear - 7 instances of svchost
 
The problem is still there unfortunately. Since then I have been getting a bad image error for explorer which mentions the file "sstqn.dll". I'm not sure what to do now but back up all my files and reload windows :(


All times are GMT -4. The time now is 12:49 pm.
1 2 Last »
Show 40 post(s) from this thread on one page

Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC