Startup/Shutdown

[karhn]

When i startup my computer, it shows a blue screen saying "Please wait...".
During shutdown, it will show up an error saying cicerouiwindframe.exe and a button "End now".Sometimes this happens to my antispyware.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Goh Yi Fan at 9:59:31.62 on 29-Mar-09
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1503.871 [GMT 8:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Documents and Settings\Goh Yi Fan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [SpybotDeletingD5263] cmd /c del "c:\windows\system32\kdmxn.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gohyif~1\applic~1\mozilla\firefox\profiles\7aqta6by.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-24 210216]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-7 603904]
R3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2008-11-27 13324]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 0060921229321424mcinstcleanup;0060921229321424mcinstcleanup; [x]
S2 0311211230031494mcinstcleanup;0311211230031494mcinstcleanup; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PCD5SRVC{07D2499C-80E86AC3-05010004};PCD5SRVC{07D2499C-80E86AC3-05010004} - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\pcdr5\pcd5srvc.pkms --> c:\progra~1\pcdr5\PCD5SRVC.pkms [?]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2006-12-22 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2006-12-22 9216]
S3 rcp_service;ReaConverter scheduler service; [x]

=============== Created Last 30 ================

2009-03-29 08:23 82,432 ----h--t c:\windows\system32\20d21afe.dll
2009-03-29 08:23 82,432 ----h--t c:\windows\system32\1a06ab70.dll
2009-03-28 21:20 82,432 ----h--t c:\windows\system32\d3a7e7c.dll
2009-03-28 21:20 82,432 ----h--t c:\windows\system32\12475338.dll
2009-03-28 12:33 <DIR> --d----- c:\program files\HoverRace
2009-03-27 11:53 <DIR> --d----- c:\documents and settings\goh yi fan\Tracing
2009-03-27 11:42 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-27 11:40 <DIR> --d----- c:\program files\Microsoft
2009-03-27 11:40 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-26 16:19 2,736,890 a------- c:\windows\system32\GameMon.des
2009-03-22 21:37 <DIR> --d----- c:\program files\RocketDock
2009-03-18 13:38 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-16 14:16 <DIR> --d----- c:\program files\LucasArts
2009-03-15 12:07 0 -------- c:\windows\WB.ini
2009-03-14 23:54 <DIR> --d----- c:\program files\Yahoo!
2009-03-11 21:03 <DIR> --d----- c:\docume~1\gohyif~1\applic~1\TypingMaster7
2009-03-10 19:54 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-10 16:05 <DIR> --d----- c:\documents and settings\goh yi fan\undefined
2009-03-05 22:14 <DIR> --d----- c:\program files\ESET
2009-03-01 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-03-01 21:19 <DIR> --d----- c:\program files\Messenger Plus! Live

==================== Find3M ====================

2009-03-15 12:16 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-03-10 19:54 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-06 14:24 93,336 a------- c:\windows\system32\drivers\epfwtdir.sys
2009-02-06 14:23 106,208 a------- c:\windows\system32\drivers\ehdrv.sys
2009-02-06 14:19 113,448 a------- c:\windows\system32\drivers\eamon.sys
2009-01-18 10:00 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-01-15 02:17 636,264 a------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 02:17 392,040 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 02:13 5,888,512 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 02:12 10,963,968 a------- c:\windows\system32\dllcache\ieframe.dll
2009-01-15 02:06 1,182,720 a------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 02:06 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 02:06 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 02:05 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 02:05 109,056 a------- c:\windows\system32\dllcache\occache.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 02:04 755,200 a------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:04 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 02:02 1,975,296 a------- c:\windows\system32\dllcache\iertutil.dll
2009-01-15 02:02 593,920 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-01-15 02:02 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 02:01 183,808 a------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 02:01 59,904 a------- c:\windows\system32\dllcache\icardie.dll
2009-01-15 02:01 54,272 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 02:01 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 02:01 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 02:01 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 02:01 66,560 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:00 45,568 a------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 01:53 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 01:50 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-01-15 01:35 445,440 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-11 13:00 79,360 -------- c:\windows\system32\dllcache\iecompat.dll
2009-01-07 15:03 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-01-07 15:03 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2008-12-31 13:23 2,328,832 a------- c:\windows\system32\TUKernel.exe
2008-12-21 17:28 31 a------- c:\documents and settings\goh yi fan\jagex_runescape_preferences.dat
2008-10-13 15:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100620081013\index.dat
2008-10-13 18:35 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101320081014\index.dat
2008-10-17 12:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 10:00:00.07 ===============

[tetonbob]

Hello -

That message is reported to be associated with a bug in MS Office, and not infection related. If this reported fix does not help, you may wish to seek assistance in the Windows XP or MS Office sections of the forum.

The reported fix is:

In order to fix this issue you need to remove Speech and Handwriting Recognition feature from Microsoft Office.


Follow the procedure given below to fix CiceroUIWndFrame error

1. Start >> Control Panel

2. Double Click Add Remove Programs

3. Locate Microsoft Office and click on change button

4. Now, Check the box which says: Add or Remove Features.

Now, Check the box which says: Choose advanced customization of applications

5. Browse to Office Shared Features, Alternative User Input, and select Speech and Handwriting recognition (both) and make them Not Available

6. Click the update button and let it finish and you are done.

Reference links:

http://hemmer.home.cern.ch/hemmer/KB...es/Q000018.htm



========================

I don't see any sign of active infection in the logs, though it looks like Spybot recently removed something.

That said, there are some files of interest showing in your logs.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\windows\system32\20d21afe.dll
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.

[karhn]

I get a message SKU011.CAB after the update.

I don't have c:\windows\system32\20d21afe.dll

[tetonbob]

Quote:

Originally Posted by karhn

I get a message SKU011.CAB after the update.

I don't have c:\windows\system32\20d21afe.dll

As to the first message, that somehow does not appear to me to be a complete error message, so I'm not sure what that means, and as I said earlier, you'll be better served seeking help for that in the other sections of the forum.

If message SKU011.CAB means this cab file is missing, it should be on the installation media from which Office was installed initially.

http://support.microsoft.com/kb/896866

Regarding the file....I see this in the logs

2009-03-29 08:23 82,432 ----h--t c:\windows\system32\20d21afe.dll
2009-03-29 08:23 82,432 ----h--t c:\windows\system32\1a06ab70.dll
2009-03-28 21:20 82,432 ----h--t c:\windows\system32\d3a7e7c.dll
2009-03-28 21:20 82,432 ----h--t c:\windows\system32\12475338.dll

Are none of these files present? Why do you say you don't have the file? Did you receive such a message when trying to upload it to VirusTotal?

[karhn]

Non of them are in system32

[tetonbob]

You're not exactly answering all my questions, which makes it more difficult to help. Take some time and help me help you.

If you're trying to find them yourself, it may be because you have system files hidden. If you copy/paste the file path as instructed, what happens? What message do you see from VirusTotal.

[karhn]

When I paste the file path, it says:
"File not found.
Please verify the correct file name was given."

For SKU011.CAB, it says that there is no SKY011.CAB and i could not proceed with the update for windows office.

[tetonbob]

Ok, thanks.

It would seem that something (perhaps your protection?) already deleted the files in question.

The other issue will be best addressed by asking in the Windows XP or MS Office section of the forum, as I've offered the only help I can find for that. I see no other reason to suspect infection here, which is what we focus on in this section of the forum.