Avatar of kaerez
kaerezFlag for Israel asked on

Wierd O/S problems

Hello everyone,

I have a licensed copy of KIS 2009 fully updated and full system scans find nothing.
Downloaded an updated copy of McAfee's Stinger - found nothing.

1) Every once in a while I see a pop-up "keylogger type activity detected" - but I can't seem to see what app. is causing KIS to think so/verify/deal with it.
2) About a week ago I started getting problems with the O/S, every once in a while internet is stuck and trying to run ipconfig/ping returns an error and doesn't show the adaptors and only a full restart seems to regain control.
3) Trying to set folder view to show hidden files fails and it always reverts to the hide option.

Please advise.

Big question so alot of points :-)

Thanks everyone!
Anti-Virus AppsWindows XP

Avatar of undefined
Last Comment
Jonvee

8/22/2022 - Mon
SICMASO

What OS are you running? Second is there a posibily of Offloading the data and doing clean install of OS? Also does that window pop up when you using Internet or you seen it just working on your PC. This way we can figure out if it something internet relative or is local problem on your PC.
ASKER
kaerez

Hi,

Reinstalling is always a solution.
I'm trying to troubleshoot the issue instead of re-imaging the laptop.
Regarding the KIS pop-up - it occurs regardless of what i'm doing.

Thanks!
SICMASO

Does KIS specify file that it is displaying that activity. Because there some software that Anti-Virus might interprit to be virus and keylogger but in reality they are legit.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SOLUTION
Jonvee

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
kaerez

Nope.
Not as far as I can understand at least...
Jonvee

Suggest you also install and run Trend HijackThis 2.02:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page & there we can get it analysed.

If HJT is unable to resolve it we have the option of running ComboFix (separate instructions if required)
Orion88

You should be able to see what it is detecting from the KIS activity log screen., have you run spybot search and destroy or malwarebytes malware remover, they will help find a problem that antivirus sometimes does not.  if it does find it and can not remove it, it can be done manually.  let me know if you need help.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
kaerez

Seems all is ok (checked using send log to trendmicro)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:06:14, on 23/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Jetico\BestCrypt Volume Encryption\bcveserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Aladdin Shared\eToken\PKIClient\x32\eTSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkASv2K.exe
C:\Program Files\SysAidServer\Wrapper.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\SysAidServer\jre\bin\java.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Aladdin\eToken\Tms20\Bin\TmsDesktopAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\SolarWinds\Engineer's Toolset\SWLauncher.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Documents and Settings\erezk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PcSync2.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\MultiBank\BMidasM.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\KeePass Password Safe\KeePass.exe
C:\Documents and Settings\erezk\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\erezk\Desktop\HiJackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mozilla.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\PROGRA~1\agat\AGForm\AGFORM~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
O4 - HKLM\..\Run: [TmsDesktopAgent] C:\Program Files\Aladdin\eToken\Tms20\Bin\TmsDesktopAgent.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BestCrypt Volume Encryption] "C:\Program Files\Jetico\BestCrypt Volume Encryption\bcfmgr.exe"  MountAtLogon
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [SWQuickLauncher] C:\Program Files\SolarWinds\Engineer's Toolset\SWLauncher.exe
O4 - HKLM\..\Run: [HP Travel Phone] C:\Program Files\HP Travel Phone\HP Travel Phone.exe AUTO
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [eTMonitor] "C:\Program Files\Common Files\Aladdin Shared\eToken\PKIClient\x32\PKIMonitor.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [KeePass Password Safe] "C:\Program Files\KeePass Password Safe\KeePass.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\erezk\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VirtualCamera] "C:\Program Files\VirtualCamera\VCamera.exe" /s
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PcSync2.exe" /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MAC Shift Random LAN.lnk = C:\apps\MACShift\macshift.exe
O4 - Startup: MultiBank.lnk = C:\Program Files\MultiBank\BMidasM.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {23E9330D-A8C2-49C4-A2F4-68D6845B5EC4} - http://vod.orange.co.il/Installation/orange%20time.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://172.29.2.7/officescan/console/html/root/AtxEnc.cab
O16 - DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} (Trend Micro OfficeScan Management Console) - https://172.29.2.7/officescan/console/html/root/AtxConsole.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://connectra.iclfertilizers.com/sre/ICSScanner.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://172.29.2.7/officescan/console/html/root/AtxPie.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://connectra.iclfertilizers.com/SNX/CSHELL/extender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://vpn.2bsecure.co.il/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: x-owacid - {0215258F-F0A8-49DE-BF1B-0FF02EDA8807} - C:\Program Files\Microsoft\Outlook Web Access SMIME Client\mimectl.dll
O20 - AppInit_DLLs: PGPmapih.dll  ,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: bcveServ - Unknown owner - C:\Program Files\Jetico\BestCrypt Volume Encryption\bcveserv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: Check Point Endpoint License Server (CPLicenseServer) - Check Point Software Technologies - C:\Program Files\CheckPoint\Endpoint Security\LicenseServer\R70\bin\License_Server.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: ETOKSRV (eTSrv) - Aladdin Knowledge Systems, Ltd. - C:\Program Files\Common Files\Aladdin Shared\eToken\PKIClient\x32\eTSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Syntek STK1160 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe
O23 - Service: SysAid Server (SysAidServer) - Unknown owner - C:\Program Files\SysAidServer\Wrapper.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
 
--
End of file - 18766 bytes

Open in new window

Jonvee

Checking your HijackThis logfile .. there are a small number of "unknown entries" but they may well be ok.

Do you recognise this entry>
HKCU\..\Run: [YouSendIt.exe] C:\Program Files\YouSendIt\Express\YouSendIt.exe -ui none
Details on  YouSendIt.exe >
http://spywarefiles.prevx.com/RRJJFD43912344/YOUS.html

You may find my previous suggestion of downloading, then updating Malwarebytes' Anti-Malware will resolve the issue more quickly:

Full instructions available from here>
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t169669.html

Meanwhile, analysing HJT entries ...
ASKER
kaerez

First - Thanks :-)
Yeah, yousendit is www.yousendit.com - an enterprise ftp replacement solution.
Trying malwarebytes...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
kaerez

Thanks.
Trying.
Below is malwarebytes results - told it to clean what little it found.

Malwarebytes' Anti-Malware 1.33
Database version: 1682
Windows 5.1.2600 Service Pack 3
 
23/1/2009 0:39:21
mbam-log-2009-01-23 (00-39-21).txt
 
Scan type: Quick Scan
Objects scanned: 64222
Time elapsed: 10 minute(s), 2 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> Quarantined and deleted successfully.
 
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\Services.cfg (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
C:\WINDOWS\system32\Services.cfg (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Open in new window

SICMASO

I use spy-bot search and destroy with Tea Timer Protection and IE Protection. Thus i have to approve all registry changes, it creates a little more work but this way i know what is writing my registry and what trying to change values. Might be something to consider for the future once you get rid of this critter.

Also going through your logs i notice this
96: C:\Program Files\KeePass Password Safe\KeePass.exe
since this software is storing your passwords and it is capturing your keystrokes, KIS might be misinterpreting it and qualifying it as key logger.
ASKER
kaerez

nope. tried uninstalling it and it still persisted.
Also - still have the issue with the internet "disappearing" and the folder hidden thingie.. :-)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SICMASO

well it is obvious you using IBM Lenovo Laptop, but if you can specify what service pack you using and if this is standalone system or part of domain?
ASKER
kaerez

standalone, sp3
SICMASO

i seem some wierd problems with SP3 but never like that, but to be on the safe side have you tried to downgrade back to SP2
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
kaerez

ha ...
never a good thing trying to wise-up on m$ :-)

i've had sp3 for a while, everything started about a week ago.

thought it might be a malware but various products found nothing so either i have something new
that doesn't spread or something just wend wrong with the ipstack or something and the folder view
just happend to get messed up around the same time.
SysExpert

I also would suggest running

Trend HijackThis 2.02: and posting the log file.

It is standalone - ( no install required ), and may give us a bit more info.

ASKER
kaerez

already did :-)
log is posted above.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jonvee

To resolve the internet "disappearing" problem (though this doesn't explain the folder hidden issue) & assumimg for the moment it's a possible DNS issue, did you run "ipconfig /flushdns" from a command prompt?

Reference in this previous thread>
"Randomly losing access to the Internet":
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23282052.html#a21255447
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
kaerez

no dice :-)
ipconfig stops working when this happens.
Jonvee

It still looks like an infection and as HJT was unable to find anything, try running Combofix.  
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

If you're unable to run it you could rename the ComboFix file to something else such as ComboFix2, or equivalent.

Failing that, try downloading ComboFix.exe to another machine, then transfer it to the infected computer using a USB stick.  

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jonvee

kaerez, it's a wierd one as you first declared .. in fact if the problem remains unresolved after following all earlier ideas & *if* there are no further suggestions forthcoming, your best bet may be to go for a repair install >>

"XP Repair install:
http://www.michaelstevenstech.com/XPrepairinstall.htm
ASKER
kaerez

Issue resolved.
Thank you all for helping out!
ASKER
kaerez

Malwarebytes combined with Superantispyware scanning and fixes in the products solved the issues.
Thank you for the help ! :-)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jonvee

You're very welcome!   Thank you.