Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » [Fixed] Desktop appears and disappears

[Fixed] Hijackthis! Logs - [Fixed] Desktop appears and disappears posted in the Security & Safety forums; Hi GuysI need some help with something strange that going on with my computer.Last night after removing a program with "Add Remove" my desk top started to dissappear and than ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 2 3 >
  #1  
Old 11-14-2007
Bronze Member
  
Join Date: Jun 2007
Posts: 39
Uliz - See this Members User comments on their Profile page
Default [Fixed] Desktop appears and disappears
Hi GuysI need some help with something strange that going on with my computer.Last night after removing a program with "Add Remove" my desk top started to dissappear and than reappear for 10 seconds and so on. I tried to use system restore but there where no earlier restore points. My system restore is on. I searched Google and found that it has to do with internet explorer.I followed the instructions I found in that help site to open task manager,start a new task,type "Explorer", click OK and that brought back my desktop to normal. Everything is ok as long as I don't reboot the computer. After rebooting ,my desktop return's to it's strange bevaviour. My system is XP SP2. please help.Thank YouUli
  #2  
Old 11-14-2007
valis's Avatar
Senior Security Analyst
My PC
 
Join Date: Jan 2007
Location: texas, USA
Posts: 2,627
PC Experience: PC Illiterate
valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
hello uliz....let's rule out malware.

Please do this:

Please download HijackThis to your desktop.. http://www.trendsecure.com/portal/en...HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com...HJTInstall.exe
This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Upon install, HijackThis should open for you.
Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

thanks,

v


__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall
  #3  
Old 11-15-2007
Bronze Member
  
Join Date: Jun 2007
Posts: 39
Uliz - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
I just came back from work.
Here is HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:14:06 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HD Tune\HDTune.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Uli\My Documents\HiJackThis_v2\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = מבזקים | חדשות | מבזקי חדשות | כלכלה ועסקים | מבזקי ספורט
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = file://C:\Program Files\WinSweep\ws.js
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\rqrpmkj.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: (no name) - {EBDCBD72-2A66-4F69-AA32-AF17F6777E8D} - C:\WINDOWS\system32\pmkhf.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Desktop Tray Clock\DTClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.144.30/DGTx.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: rqrpmkj - C:\WINDOWS\SYSTEM32\rqrpmkj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
--
End of file - 12144 bytes

Thank You
  #4  
Old 11-15-2007
valis's Avatar
Senior Security Analyst
My PC
 
Join Date: Jan 2007
Location: texas, USA
Posts: 2,627
PC Experience: PC Illiterate
valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
yup, you're infected. Please do the following.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

thanks,

v


__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall
  #5  
Old 11-15-2007
valis's Avatar
Senior Security Analyst
My PC
 
Join Date: Jan 2007
Location: texas, USA
Posts: 2,627
PC Experience: PC Illiterate
valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
moved thread to hjt logs.


__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall
  #6  
Old 11-16-2007
Bronze Member
  
Join Date: Jun 2007
Posts: 39
Uliz - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
ComboFix Log:

ComboFix 07-11-08.1 - Uli 2007-11-15 17:32:32.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.762 [GMT -5:00]
Running from: C:\Documents and Settings\Uli\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Uli\Application Data\inst.exe
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\temp.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 12:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 23:58 <DIR> d-------- C:\Program Files\SatelliteTVforPC
2007-11-14 23:56 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-13 22:14 <DIR> d--hs---- C:\FOUND.013
2007-11-13 12:58 <DIR> d--hs---- C:\FOUND.012
2007-11-13 12:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-13 08:26 <DIR> d-------- C:\Program Files\Vista Start Menu
2007-11-13 08:26 <DIR> d-------- C:\Program Files\Desktop Tray Clock
2007-11-13 08:26 <DIR> d-------- C:\Documents and Settings\Uli\Application Data\Vista Start Menu
2007-11-13 08:06 <DIR> d--hs---- C:\FOUND.011
2007-11-13 07:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 23:25 <DIR> d--hs---- C:\FOUND.010
2007-11-12 22:26 35,328 --a------ C:\WINDOWS\system32\ljjiffd.dll
2007-11-12 22:22 35,328 --------- C:\WINDOWS\system32\rqrpmkj.dll
2007-11-12 22:21 32,764 --a------ C:\WINDOWS\17PHolmes1061.exe
2007-11-12 22:16 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-11 20:24 <DIR> d-------- C:\WINDOWS\Caps
2007-11-11 17:36 <DIR> d-------- C:\Program Files\Fax by Modem
2007-11-11 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-11-11 00:34 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-11-10 19:27 <DIR> d-------- C:\WINDOWS\tiinst1
2007-11-10 07:39 <DIR> d-------- C:\Program Files\DIFX
2007-11-10 00:44 110,602 --a------ C:\WINDOWS\system32\xcdsfx32.bin
2007-11-10 00:43 <DIR> d-------- C:\Program Files\Driver Magician
2007-11-09 22:33 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-11-09 22:31 <DIR> d--h----- C:\WINDOWS\system32\CanonMP Uninstaller Information
2007-11-09 22:30 <DIR> d--h----- C:\CanonMP
2007-11-09 00:26 <DIR> d-------- C:\Program Files\Broadcom
2007-11-09 00:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Broadcom
2007-11-09 00:25 <DIR> d-------- C:\Documents and Settings\Uli\Application Data\InstallShield
2007-11-08 23:59 <DIR> d-------- C:\Program Files\Realtek AC97
2007-11-08 22:40 <DIR> d-------- C:\Program Files\Driver-Soft
2007-11-06 22:44 <DIR> d-------- C:\Program Files\Windows Live
2007-11-06 22:44 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-06 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-06 14:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-11-06 14:39 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-06 14:39 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-11-06 13:08 <DIR> d--hs---- C:\FOUND.009
2007-11-05 23:39 <DIR> d-------- C:\WINDOWS\uninstall
2007-11-04 22:38 <DIR> d-------- C:\Program Files\Error Repair Professional
2007-11-04 18:13 <DIR> d--hs---- C:\FOUND.008
2007-10-30 15:58 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-10-30 15:58 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-10-30 15:58 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-10-30 15:58 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-10-30 15:58 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-10-30 15:58 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-10-30 15:58 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-10-30 15:58 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-10-29 14:14 <DIR> d-------- C:\Documents and Settings\Uli\Application Data\Nero
2007-10-29 14:09 <DIR> d-------- C:\Program Files\Nero
2007-10-29 14:09 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-10-29 14:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-10-28 22:14 <DIR> d-------- C:\Program Files\mobile PhoneTools
2007-10-28 21:50 <DIR> d-------- C:\Program Files\LiveUpdate
2007-10-28 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-10-27 23:59 <DIR> d-------- C:\Documents and Settings\Uli\Application Data\Vso
2007-10-27 20:38 <DIR> d--hs---- C:\FOUND.007
2007-10-27 09:19 <DIR> d-------- C:\Program Files\Picasa2
2007-10-18 11:31 51,224 --a------ C:\WINDOWS\system32\sirenacm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-06 04:43 1,384,478 ----a-w C:\WINDOWS\system32\msvbvm60.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-08 04:00 --------- d-----w C:\Program Files\OO Software
2007-10-07 18:42 --------- d-----w C:\Program Files\Pando Networks
2007-10-07 03:10 --------- d-----w C:\Program Files\WinCustomize
2007-10-07 03:10 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-07 03:03 76,386 ----a-w C:\WINDOWS\Media\Uninstal.exe
2007-10-03 13:19 --------- d-----w C:\Program Files\i.Disk
2007-10-03 12:50 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-02 22:45 4,109,376 ----a-r C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-10-01 12:16 --------- d-----w C:\Program Files\Easy DVD Creator
2007-09-30 20:03 --------- d-----w C:\Documents and Settings\Uli\Application Data\LimeWire
2007-09-30 06:52 --------- d-----w C:\Documents and Settings\Uli\Application Data\Brisk DVD Creator
2007-09-30 06:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Protexis
2007-09-30 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-09-29 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\DFX
2007-09-27 05:30 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-09-27 05:30 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-09-27 05:30 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-27 03:52 138,220 ----a-w C:\Documents and Settings\All Users\Application Data\mainlsp.reg.dat
2007-09-27 03:33 --------- d-----w C:\Documents and Settings\Uli\Application Data\Gizmo Project
2007-09-26 05:57 126,264 ----a-w C:\Documents and Settings\All Users\Application Data\firstlsp.reg.dat
2007-09-25 03:31 --------- d-----w C:\Program Files\OpenVideoConverter
2007-09-24 14:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 14:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-22 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-09-22 04:53 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-09-21 04:09 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-09-20 19:28 --------- d-----w C:\Documents and Settings\Uli\Application Data\Talkback
2007-09-20 14:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 14:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 14:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-19 03:38 --------- d-----w C:\Documents and Settings\Uli\Application Data\Thunderbird
2007-09-17 00:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Eset
2007-09-16 05:16 --------- d-----w C:\Program Files\Smart Projects
2007-09-16 05:15 --------- d-----w C:\Program Files\Wondershare
2007-09-16 05:13 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-09-16 05:09 --------- d-----w C:\Program Files\CyberLink
2007-09-16 05:05 --------- d-----w C:\Documents and Settings\Uli\Application Data\Smart PC Solutions
2007-09-15 03:19 --------- d-----w C:\Documents and Settings\Uli\Application Data\vlc
2007-09-02 01:54 4 ----a-w C:\WINDOWSRegDefrag.dat
2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 07:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 11:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 11:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 11:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 11:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 11:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 11:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 11:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-07 23:27 682,266 ----a-w C:\Program Files\unins000.exe
2007-07-07 23:27 14,643 ----a-w C:\Program Files\unins000.dat
2007-05-19 03:14 47,360 ----a-w C:\Documents and Settings\Uli\Application Data\pcouffin.sys
2007-05-18 20:51 4,613 ----a-w C:\Program Files\Readme.txt
2007-05-17 18:36 87,608 ----a-w C:\Documents and Settings\Uli\Application Data\ezpinst.exe
2007-05-08 20:12 5,832,223 ----a-w C:\Program Files\avcodec.dll
2007-05-07 17:29 1,216,040 ----a-w C:\Program Files\vso_hwe.dll
2007-05-05 02:38 94,208 ----a-w C:\Documents and Settings\Uli\Application Data\ezplay.sys
2007-04-24 14:44 1,136 ----a-w C:\Program Files\uictl_default.xml
2007-04-23 20:04 41,727 ----a-w C:\Program Files\avutil.dll
2007-04-23 19:49 526,083 ----a-w C:\Program Files\avformat.dll
2007-04-11 17:12 2,279,464 ----a-w C:\Program Files\PcSetup.exe
2006-11-18 03:32 169,472 ----a-w C:\Program Files\CrashRpt.dll
2006-08-23 01:26 53,760 ----a-w C:\Program Files\zlib.dll
2006-08-23 01:26 1,030,144 ----a-w C:\Program Files\dbghelp.dll
2004-12-04 04:35 36,716 ----a-w C:\Program Files\succ.wav
2003-06-09 06:58 1,210 ----a-w C:\Program Files\changelog
2003-06-09 06:55 1,096,342 ----a-w C:\Program Files\credits.exe
2003-06-09 06:48 686,080 ----a-w C:\Program Files\vcdgear.exe
1999-03-28 05:59 42,664 ----a-w C:\Program Files\error.wav
2007-08-09 04:56:24 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080820070 809\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}]
2007-11-12 22:22 35328 --------- C:\WINDOWS\system32\rqrpmkj.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"HD Tune"="C:\PROGRA~1\HDTUNE~1\HDTune.exe" [2007-01-22 02:01]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SkinClock"="C:\Program Files\Desktop Tray Clock\DTClock.exe" [2006-08-18 20:26]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-04-19 02:30]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2007-09-26 14:14]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-07 12:07:26]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE}"= C:\WINDOWS\system32\rqrpmkj.dll [2007-11-12 22:22 35328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrpmkj]
rqrpmkj.dll 2007-11-12 22:22 35328 C:\WINDOWS\system32\rqrpmkj.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhf.dll
"Notification Packages"= :\WINDOW
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotc ore3.sys
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHe lper.sys
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.s ys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 DKbFltrritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
S1 StarPortLite;StarPort Storage Controller (Lite);C:\WINDOWS\system32\DRIVERS\StarPortLite.sy s
S2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;"C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe"
S2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;"C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe"
S3 int15.sys;int15.sys;\??\C:\Program Files\acer\eRecovery\int15.sys
S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\system32\DRIVERS\genelan.sys
S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\system32\Drivers\geneusb.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 19:09:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-09 22:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
************************************************** ************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 17:43:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-11-15 17:46:48 - machine was rebooted
.
--- E O F ---

HijackThis Log File:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:39:44 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HDTUNE~1\HDTune.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\DOCUME~1\Uli\LOCALS~1\Temp\RtkBtMnt.EXE
C:\Program Files\Desktop Tray Clock\DTClock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Uli\My Documents\HiJackThis_v2\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = מבזקים | חדשות | מבזקי חדשות | כלכלה ועסקים | מבזקי ספורט
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = file://C:\Program Files\WinSweep\ws.js
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - C:\WINDOWS\system32\rqrpmkj.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Desktop Tray Clock\DTClock.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} (DGTx.uc1) - http://66.98.144.30/DGTx.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: rqrpmkj - C:\WINDOWS\SYSTEM32\rqrpmkj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avmailc.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: AntiVir PersonalEdition Premium MailGuard helper service (AVEService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Premium\avesvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)
--
End of file - 11885 bytes
  #7  
Old 11-16-2007
valis's Avatar
Senior Security Analyst
My PC
 
Join Date: Jan 2007
Location: texas, USA
Posts: 2,627
PC Experience: PC Illiterate
valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page valis - See this Members User comments on their Profile page
Default Re: Desktop appears and disappears
You may want to print these out. please close all other applications, start hjt again, click 'perform system scan only', place a tick next to the following and click 'fix checked'

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:
C:\WINDOWS\SYSTEM32\rqrpmkj.dll
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

thanks,

v


__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall