Windows Stops Locating/Running Programs?

InvisGhost · Jul 5, 2008

Okay. This one has me stumped. Ive been having this problem for about 4 days now and it is piddling me off :mad:

. I will just be minding my own business when randomly windows will stop locating things. I will get "The file cannot be located" error and when I try to open taskmgr it cant even find that! Ill press ctrl+alt+del and I get the crappy error, Ummm the one Scurity questions failure or whatever. Cant Remember what it said. Anyways heres my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:08 PM, on 7/4/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Windows folder: C:\Windows
System folder: C:\Windows\SYSTEM32
Hosts file: C:\Windows\System32\drivers\etc\hosts

Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe - I cant stop this from loading
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\Fraps\fraps.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [C:\Windows\system32\kdzpc.exe] C:\WINDOWS\System32\kdzpc.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdbfs.exe] C:\WINDOWS\System32\kdbfs.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Launch PicLens - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\PicLens.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitLord\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O13 - Gopher Prefix:
O21 - SSODL: qegbdmwf - {DD94966C-072E-477A-97EE-E86A9F92FF24} - C:\Windows\qegbdmwf.dll
O22 - SharedTaskScheduler: Ave's ExplorerButtons - {E8C2E445-DF20-4BD5-A0B8-325AB2BB059F} - C:\Users\InvisGhost\Desktop\32bit (default)\32bits\AveExplorerButtons.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe - This one wont leave!
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6871 bytes

Dzomlija · Jul 5, 2008

InvisGhost said:
Okay. This one has me stumped. Ive been having this problem for about 4 days now and it is piddling me off . I will just be minding my own business when randomly windows will stop locating things. I will get "The file cannot be located" error and when I try to open taskmgr it cant even find that! Ill press ctrl+alt+del and I get the crappy error, Ummm the one Scurity questions failure or whatever.

Run a thorough disk check. The symptoms you describe could be a filesystem failure. Also, if possible, download and install the disk utilities from your hard disk manufacturer, which may or may not highlight pending problems on the hardware itself.

InvisGhost · Jul 5, 2008

When my computer starts doing this randomly the only way to fix it is to turn off the computer and turn it back on, then it does a startup restore which only does a sytem restore to when the computer was last restarted XD. Its a loop! But ill run a disk check again and see what it catches.

Dzomlija · Jul 5, 2008

InvisGhost said:
When my computer starts doing this randomly the only way to fix it is to turn off the computer and turn it back on, then it does a startup restore which only does a sytem restore to when the computer was last restarted XD. Its a loop! But ill run a disk check again and see what it catches.

I had another look at you HijackThis! log, and the following two entries have caught my attention:

C:\hp\kbd\kbd.exe
This would appear to be something to do with your keyboard, right? Unless your keyboard has unique non-standard functions, you really do not need to run this.

C:\Program Files\Cyberlink\Shared files\RichVideo.exe
Have you tried using MSCONFIG to terminate this one? If it's not in the standard startup section, perhaps in services? Personally, I don't use Cyberlink Power DVD anymore, as Windows Media Player can play DVDs just as well. And even if PowerDVD is a legit program, the fact that it will not allow you to disable some functions is cause for concern. Get rid of it...

sidney1st · Jul 5, 2008

Hi,
First of all you do not run apparentely any AntiVirus software on your machine.
It looks like you are infected by a new malware.
First thing to do, install an antivirus and scan you drive. (some good antivirus are free, have a look here: http://www.vistax64.com/software/115872-free-software-list-vista.html
Second, it looks like you installed some "new buttons" in your explorer, deinstall them.
Come back after with a new log.

Dwarf · Jul 5, 2008

Hi InvisGhost,

There are a number of suspicious entries in your HJT log. These are as follows in the order that they appear.

O4 - HKLM\..\Run: [C:\Windows\system32\kdzpc.exe] C:\WINDOWS\System32\kdzpc.exe

O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdbfs.exe] C:\WINDOWS\System32\kdbfs.exe

Google has no information on the above items. This is suspicious.

O21 - SSODL: qegbdmwf - {DD94966C-072E-477A-97EE-E86A9F92FF24} - C:\Windows\qegbdmwf.dll

A quick search of Google (CastleCops) links the above to malware, probably a trojan.

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

A quick search of Google reveals this file to be suspicious, possibly a variant of the 'Virtumonde' malware. It looks legitimate because it appears at first glance to be 'nvsvc.exe', a file included in the NVidia graphics drivers. Notice the extra 'v' in your filename. This is what gives the game away, and is a typical method of hiding files that malware writers use.

O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
A quick search of Google (CastleCops) reveals this as suspicious.

You don't appear to be running any anti-virus which is not recommended, especially when using a torrent application such as 'BitComet'. Torrents are a common way that malware use to spread.
In view of the numerous suspicious entries in your HJT log, it might be worthwhile submitting it to one of the dedicated HJT forums for analysis. You will have to wait for their response. However, I would seriously consider a reinstallation of Vista with a FULL disk format at the appropriate point. Make sure that you obtain and use an anti-virus, and I strongly recommend that you avoid torrent applications.
Dwarf

sidney1st · Jul 5, 2008

Hi Dwarf, i think i can analyse here his log as i do on specialized forums

I am waiting a reply from Invisghost regarding the AV software as the fashion recently is to install an AV which is a big Virus itself like AV 2008 PRO....
Today even on some specialized sites they are not aware of some very new malwares and googling for some exe or dlls gives no response or very few.
But for sure, surfing today without protection is a kind of suicide and i won't help anymore without a prior virus scan with a real tool.

InvisGhost · Jul 5, 2008

I am running norton 360. I have just removed it from the log. And the new explorer buttons are http://mpj.tomaatnet.nl/vista/explorerbuttons.html . So thats not the case. The disk check reveiled nothing, other then the fact that I have to much crap on my computer. The only things I was able to write down before I fell asleep were that it found 5 unindexed files, and 91 reparse files. I do have special buttons on my keyboard so i do need kbd.

johngalt · Jul 5, 2008

When posting HiJackTHis logs ***DO NOT EDIT THEM***

InvisGhost · Jul 5, 2008

sidney1st said:
Hi Dwarf, i think i can analyse here his log as i do on specialized forums
I am waiting a reply from Invisghost regarding the AV software as the fashion recently is to install an AV which is a big Virus itself like AV 2008 PRO....
Today even on some specialized sites they are not aware of some very new malwares and googling for some exe or dlls gives no response or very few.
But for sure, surfing today without protection is a kind of suicide and i won't help anymore without a prior virus scan with a real tool.

The AV software i have no idea what you mean by that. Do you mean the AVE buttons and thumbnail things? Those are all from Ave's Vista Apps And he is a really good programmer. It doesnt change anything just are addons. I have uninstalled them but I would like to know if I could add them back. The problem is still happening.

InvisGhost · Jul 5, 2008

Oh and I did leave O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" in because I do use that. I dont use norton because I find it annoying(thats why i took it out). XD, Spyware Doctor with antivirus still is good.

johngalt · Jul 5, 2008

AV = Anti Virus

And if something is in your logs, whether you use it or not it is ***actually running*** and the log analyst needs to know *everything* that is running.

Again, do not edit logs. That is the fastest way to *stop* getting help from analysts.

Dwarf · Jul 5, 2008

Hi InvisGhost,

AV is just a shorthand way of saying Anti-Virus. Like John says, when you submit a HiJack This (HJT) log, either here or to one of the specialised forums, DO NOT EDIT it. By editing it, you are removing information that can be used to assist you with your problem(s). The more information that we have, the greater the chance of us being able to help you. Please post a new HJT log in FULL.
Dwarf

InvisGhost · Jul 5, 2008

Kay, No editing of logs. But I just encoutered something that freaked me out. I did everything you guys told me to do. And I restarted the computer (cause I made changes) then I got this when I got to my desktop. "Windows has encountered a critical error and must restart in one minute. Save your work now." Now I know that getting that is not a good sign, but The computer is working fine for right now. :confused:

InvisGhost · Jul 5, 2008

No, this did not work. I am experiencing my problem right now as we speak.

InvisGhost · Jul 5, 2008

And it seems that I do not have norton. I cannot find it anyways right at the moment. I cannot even open the ctrl+alt+del i just got "Failure - Security Options" error, it is a immediate error also, not a long wait like it would if my cpu was high.

sidney1st · Jul 6, 2008

Hi,
First download on your desktop: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Close all running programs/windows
Run hijackthis and do a system scan only.
Tick the following lines and click on Fix checked.

O4 - HKLM\..\Run: [C:\Windows\system32\kdzpc.exe] C:\WINDOWS\System32\kdzpc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\System32\kdbfs.exe] C:\WINDOWS\System32\kdbfs.exe
O21 - SSODL: qegbdmwf - {DD94966C-072E-477A-97EE-E86A9F92FF24} - C:\Windows\qegbdmwf.dll

Then, copy these 3 lines:

C:\Windows\qegbdmwf.dll
C:\WINDOWS\System32\kdzpc.exe
C:\WINDOWS\System32\kdbfs.exe

Double click on OTMoveIt
Right click on the left panel then "paste"
Click on MoveIt
Reboot if required
Search for a moveit log in C:\_OTMoveIt\MovedFiles\xxxxxxxx.log
Post it with a new hijackthis log

Windows Stops Locating/Running Programs?

New Member

My Computer

Resistance is Futile

My Computer

New Member

My Computer

Resistance is Futile

My Computer

Member

My Computer

The Contemplator

My Computer

Member

My Computer

New Member

My Computer

Antidisestablishmentarianist

My Computers

New Member

My Computer

New Member

My Computer

Antidisestablishmentarianist

My Computers

The Contemplator

My Computer

New Member

My Computer

New Member

My Computer

New Member

My Computer

Member

My Computer