Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Nail.exe again! [resolved]

Started by gQgler , May 15 2005 10:37 AM

This topic is locked

#1
gQgler

Posted 15 May 2005 - 10:37 AM

Member

Member
16 posts

Hi.. My Antivirus (Norman) has caught a file called nail.exe. I don't know what it does, but I don't like the fact that when I delete it, it comes back again! How do I get rid of it? :tazz:

#2
gQgler

Posted 17 May 2005 - 12:14 PM

Member

Topic Starter
Member
16 posts

Hi Guys.. I have got the nail.exe file on my computer and I can't seem to get rid of it. I Really hope that you can help me!

Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 20:10:03, on 17-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmer\WZCBDL Service\WZCBDLS.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\Lexmark X5100 Series\lxbabmon.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Save\Save.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\npfmsg2.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marc Schønwandt\Dokumenter\programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Programmer\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmer\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nedijca] c:\windows\system32\lyswstt.exe
O4 - HKLM\..\Run: [fhkmujv] c:\windows\system32\tjlxfom.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WhenUSave] "C:\Programmer\Save\Save.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HootRPMET] ahuoci.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Programmer\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm41464US
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1021_EN_XP.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007g...es/msnnames.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemme...es/KvikFoto.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by12fd.bay12....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programmer\WZCBDL Service\WZCBDLS.exe

#3
g2i2r4

Posted 18 May 2005 - 04:26 PM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome gQgler to Geeks to Go!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Programmer\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} -
C:\WINDOWS\system32\hsrb.dll (file missing)

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll (file missing)

O4 - HKLM\..\Run: [nedijca] c:\windows\system32\lyswstt.exe

O4 - HKLM\..\Run: [fhkmujv] c:\windows\system32\tjlxfom.exe

O4 - HKLM\..\Run: [WhenUSave] "C:\Programmer\Save\Save.exe"

O4 - HKCU\..\Run: [HootRPMET] ahuoci.exe

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Programmer\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} -
C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1021_EN_XP.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Edited by g2i2r4, 19 May 2005 - 08:00 AM.

#4
gQgler

Posted 19 May 2005 - 02:49 PM

Member

Topic Starter
Member
16 posts

Hi again! I removed the files you told me to, and it already looks like nail is gone! Thank you soooo much for your help! You guys rock!!!
Here is first my HJT log and second my Ewido log.

Logfile of HijackThis v1.99.1
Scan saved at 22:31:40, on 19-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Programmer\security suite\SecuritySuite.exe
C:\WINDOWS\Fish.scr
C:\Documents and Settings\Marc Schønwandt\Dokumenter\programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Programmer\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll (file missing)
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmer\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nedijca] c:\windows\system32\lyswstt.exe
O4 - HKLM\..\Run: [fhkmujv] c:\windows\system32\tjlxfom.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WhenUSave] "C:\Programmer\Save\Save.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HootRPMET] ahuoci.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Programmer\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm41464US
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1021_EN_XP.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007g...es/msnnames.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemme...es/KvikFoto.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by12fd.bay12....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmer\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programmer\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programmer\WZCBDL Service\WZCBDLS.exe

Here is the Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:29:30, 19-05-2005
+ Report-Checksum: 13DDB0A

+ Date of database: 19-05-2005
+ Version of scan engine: v3.0

+ Duration: 70 min
+ Scanned Files: 97400
+ Speed: 23.04 Files/Second
+ Infected files: 35
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@advertising[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@atdmt[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@burstnet[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@com[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schø[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@fastclick[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@hitbox[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schø[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schø[email protected][2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schønwandt@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Marc Schønwandt\Cookies\marc schø[email protected][1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Programmer\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL -> Spyware.MyWebSearch -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP288\A0089535.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP289\A0089613.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP289\A0089624.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP294\A0089767.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP295\A0090040.dll -> TrojanDropper.Exidl.a -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP295\A0090041.DLL -> Spyware.Wesbar -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP295\A0090043.DLL -> Spyware.Wesbar -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP295\A0090052.exe -> Spyware.SaveNow.z -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP298\A0090322.exe -> Trojan.Agent.cp -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP298\A0090323.exe -> Trojan.Agent.cp -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP298\A0090324.exe -> Trojan.Agent.cp -> Ignored
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091356.exe -> Trojan.Stervis.c -> Ignored
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet -> Ignored
C:\WINDOWS\system32\11yf05fg.exe -> TrojanDropper.Small.gt -> Ignored
C:\WINDOWS\system32\HyperLinker3.exe -> Spyware.iSearch -> Ignored
C:\WINDOWS\system32\istinstall_145938.exe -> TrojanDownloader.IstBar.er -> Ignored
C:\WINDOWS\system32\osmim.dll -> Spyware.Marketscore -> Ignored
C:\WINDOWS\system32\PreInstaller_p1.exe -> TrojanDownloader.Keenval.o -> Ignored
D:\Programmer\BearShare\Installer\saveinstwm.exe -> Spyware.SaveNow.z -> Ignored

::Report End

#5
g2i2r4

Posted 19 May 2005 - 03:10 PM

retired HiJack Helper

Retired Staff
5,080 posts

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Reboot to safe mode.

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Please rerun Ewido, but do not ignore what he finds; let it delete the items.

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Programmer\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll (file missing)

O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)

O4 - HKLM\..\Run: [nedijca] c:\windows\system32\lyswstt.exe

O4 - HKLM\..\Run: [fhkmujv] c:\windows\system32\tjlxfom.exe

O4 - HKLM\..\Run: [WhenUSave] "C:\Programmer\Save\Save.exe"

O4 - HKCU\..\Run: [HootRPMET] ahuoci.exe

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Programmer\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm41464US

O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} -
C:\Programmer\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyPoker\PartyPoker.exe

O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downlo..._1021_EN_XP.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar....r2/winhot32.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab

Click on Fix Checked when finished and exit HijackThis.

Use Windows Explorer to remove these folders:
C:\Programmer\PartyPoker\
C:\Programmer\Save\
C:\Programmer\MyWebSearch\

Also remove these files:
c:\windows\system32\lyswstt.exe
c:\windows\system32\tjlxfom.exe
c:\windows\system32\ahuoci.exe

Reboot the computer and post me the log from Ewido and a fres log using HijackThis.

#6
gQgler

Posted 20 May 2005 - 07:32 AM

Member

Topic Starter
Member
16 posts

Did what you told me to and here are my logs. There were some files you told me to remove with HJT that it could not find and these files from c:\windows\system32 lyswstt.exe, tjlxfom.exe and ahuoci.exe, weren't there.

Here is the Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:09:26, 20-05-2005
+ Report-Checksum: E97A54C4

+ Date of database: 19-05-2005
+ Version of scan engine: v3.0

+ Duration: 154 min
+ Scanned Files: 195108
+ Speed: 20.99 Files/Second
+ Infected files: 14
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 7

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
C:\
D:\
E:\

+ Scan result:
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091370.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091371.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091372.exe -> TrojanDropper.Small.gt -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091373.exe -> Spyware.iSearch -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091374.exe -> TrojanDownloader.IstBar.er -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091375.dll -> Spyware.Marketscore -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091376.exe -> TrojanDownloader.Keenval.o -> Cleaned with backup
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091370.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091371.exe -> Spyware.NewDotNet -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091372.exe -> TrojanDropper.Small.gt -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091373.exe -> Spyware.iSearch -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091374.exe -> TrojanDownloader.IstBar.er -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091375.dll -> Spyware.Marketscore -> Error during cleaning
C:\System Volume Information\_restore{0DA1AFE3-28CC-4C1C-930D-989D36C492EC}\RP299\A0091376.exe -> TrojanDownloader.Keenval.o -> Error during cleaning

::Report End

And here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:11:19, on 20-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Fish.scr
C:\Documents and Settings\Marc Schønwandt\Dokumenter\programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmer\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm41464US
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007g...es/msnnames.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemme...es/KvikFoto.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by12fd.bay12....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmer\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programmer\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programmer\WZCBDL Service\WZCBDLS.exe

Hope you can use it! Thanks for your help :tazz:

#7
g2i2r4

Posted 20 May 2005 - 11:56 AM

retired HiJack Helper

Retired Staff
5,080 posts

We're getting there.

I'm a bit paranoide, please have this file:
C:\WINDOWS\Fish.scr
scanned at this site:
http://virusscan.jotti.org/

Let me know what they say.

***

Open HijackThis.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm41464US

O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007g...es/msnnames.cab

Click on Fix Checked when finished and exit HijackThis.

Reboot the computer.

***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press 'save list'. A file will be created. Post the content of that file here in your answer.

***

Please download and install AdAware SE.
Check Here on how setup and use it - please make sure you update it first.
Run a scan and have items in Red removed.

***

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

***

Post back here with a fresh log to check and the uninstall list. Let me know what Jotti said.

#8
gQgler

Posted 20 May 2005 - 05:00 PM

Member

Topic Starter
Member
16 posts

I agree with you that there might be some problems with Fish.scr. Everytime I quit my screensaver (withc is Fisc.scr) it closes down every open browser and window, and asks if I wan't to close down my computer (like it does when you press start and then shut down).

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:06:44, on 21-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Lexmark X5100 Series\lxbabmon.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\WinZip\WZQKPICK.EXE
D:\Programmer\security suite\ewidoctrl.exe
D:\Programmer\security suite\ewidoguard.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmer\WZCBDL Service\WZCBDLS.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Marc Schønwandt\Dokumenter\programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmer\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - http://download.007g...es/msnnames.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemme...es/KvikFoto.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by12fd.bay12....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmer\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programmer\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programmer\WZCBDL Service\WZCBDLS.exe

Here is what http://virusscan.jotti.org/ said:

AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

And here is the uninstall list:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Air USB Utility
BearShare
Bejeweled 2 Deluxe 1.0
CleanUp!
D2 Tools
DFX for Windows Media Player
Digital Audio Manager (PA30B)
EMCO Malware Bouncer
ewido security suite
FaxTools
FinePixViewer Ver.4.2
FUJIFILM USB Driver
Gads Bogskab
Gads Fransk Small/Medium
Half-Life
Half-Life® 2
HighMAT-udvidelse til Guiden Cd-skrivning til Microsoft Windows XP
HijackThis 1.99.1
ImageMixer VCD2 for FinePix
Intel® Extreme Graphics Driver
iTunes
Lexmark Skin: Helix
Lexmark X5100 Series
Maximum Babes 2004
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Danish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional med FrontPage
Microsoft Windows Journal Viewer
Microsoft Works 7.0
MSN Messenger 7.0
MSN Toolbar
Multimedia Keyboard Driver Ver1.0 (KB-0108)
Nero OEM
Network Play System (Patching)
NIOC Service
Norman Internet Control
PartyPoker
PC'en
POD-Bot 2.5
Power Mp3 Cutter(Mp3 Sound Cutter) 1.40
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
Save!
Sierra Utilities
Sikkerhedskopiering til Windows
Skype 1.2
Steam
Stronghold Crusader
The Sims House Party
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WZCBDL Service

You are really saving my ( Y ) g2i2r4!

#9
g2i2r4

Posted 20 May 2005 - 06:02 PM

retired HiJack Helper

Retired Staff
5,080 posts

I have no idea what this program is:
PC'en
Please let me know.

Open HijackThis.
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
EMCO Malware Bouncer (more information can be found here
Party Poker
Save!
Press ‘delete this item’.
Press ‘back’
Than press ‘scan’

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file)
Click on Fix Checked when finished and exit HijackThis.

Did you run AdAware SE and remove items in red?

Please reboot your computer and post me another HijackThis log to check.

#10
gQgler

Posted 20 May 2005 - 06:23 PM

Member

Topic Starter
Member
16 posts

In uninstall manager I can't find the "delete this" button, but I see a "delete this entry" button. Can I press that one??

#11
g2i2r4

Posted 20 May 2005 - 06:25 PM

retired HiJack Helper

Retired Staff
5,080 posts

Yes please.

#12
gQgler

Posted 21 May 2005 - 04:26 AM

Member

Topic Starter
Member
16 posts

PC'en is just a program showing the description of the computer. I was automatically when I got my computer.

Uninstall manager couldn't find Save, but I have deleted EMCO Malware Bouncer and Party Poker as you said.

I deleted the files in red that Ad-Aware found.

You told me to delete O2 - BHO: (no name) - {302A3240-4805-4a34-97D7-1645A0B08410} - (no file) but it wasn't on the list in HJT.

Here is first the Ad-Aware log and after that the HJT log:

Ad-Aware SE Build 1.04
Logfile Created on:21. maj 2005 00:34:09
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):35 total references
Tracking Cookie(TAC index:3):18 total references
WhenU(TAC index:3):9 total references
VX2(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\Programmer\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:26 %
Total physical memory:515568 kb
Available physical memory:131024 kb
Total page file size:1259832 kb
Available on page file:991972 kb
Total virtual memory:2097024 kb
Available virtual memory:2045508 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

21-05-2005 00:34:09 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 284
ThreadCreationTime : 20-05-2005 22:12:37
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 20-05-2005 22:12:39
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 356
ThreadCreationTime : 20-05-2005 22:12:40
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 400
ThreadCreationTime : 20-05-2005 22:12:40
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Tjenester og controllerprogrammer
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 412
ThreadCreationTime : 20-05-2005 22:12:40
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 20-05-2005 22:12:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 20-05-2005 22:12:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 688
ThreadCreationTime : 20-05-2005 22:12:43
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 768
ThreadCreationTime : 20-05-2005 22:12:44
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 872
ThreadCreationTime : 20-05-2005 22:12:45
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 948
ThreadCreationTime : 20-05-2005 22:12:45
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 972
ThreadCreationTime : 20-05-2005 22:12:45
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 984
ThreadCreationTime : 20-05-2005 22:12:45
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:14 [ewidoctrl.exe]
FilePath : D:\Programmer\security suite\
ProcessID : 1240
ThreadCreationTime : 20-05-2005 22:12:53
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:15 [ewidoguard.exe]
FilePath : D:\Programmer\security suite\
ProcessID : 1252
ThreadCreationTime : 20-05-2005 22:12:54
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:16 [sesinetd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1316
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal
FileVersion : 6, 0, 0, 286
ProductVersion : 6, 0, 0, 286
CompanyName : Side Effects Software Inc.
LegalCopyright : Copyright © 2003

#:17 [hserver.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1328
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal
FileVersion : 6, 0, 0, 286
ProductVersion : 6, 0, 0, 286
CompanyName : Side Effects Software Inc.
LegalCopyright : Copyright © 2003

#:18 [logwatnt.exe]
FilePath : C:\Programmer\CA\SharedComponents\CA_LIC\
ProcessID : 1348
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal
FileVersion : 1.52
ProductVersion : 1, 0, 0, 1
ProductName : Computer Associates LogWatNT
CompanyName : Computer Associates
FileDescription : LogWatNT
InternalName : LogWatNT
LegalCopyright : Copyright © 2002
OriginalFilename : LogWatNT.exe

#:19 [npfsvice.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 1372
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal

#:20 [zanda.exe]
FilePath : C:\Norman\bin\
ProcessID : 1404
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1504
ThreadCreationTime : 20-05-2005 22:12:55
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1552
ThreadCreationTime : 20-05-2005 22:12:56
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:23 [wzcbdls.exe]
FilePath : C:\Programmer\WZCBDL Service\
ProcessID : 1608
ThreadCreationTime : 20-05-2005 22:12:56
BasePriority : Normal
FileVersion : 1, 0, 0, 20319
ProductVersion : 1, 0, 0, 20319
ProductName : WZCBDLService Launcher (NT)
CompanyName : D-Link
FileDescription : WZCBDLService Launcher
InternalName : WZCBDLS
LegalCopyright : Copyright © 2002, D-Link Corporation
OriginalFilename : WZCBDLS.exe

#:24 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 264
ThreadCreationTime : 20-05-2005 22:13:01
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Windows Stifinder
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : EXPLORER.EXE

#:25 [nvcsched.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 1096
ThreadCreationTime : 20-05-2005 22:13:08
BasePriority : Normal
FileVersion : 1.03
ProductVersion : 1.03
ProductName : Norman Virus Control
CompanyName : Norman Data Defense Systems
FileDescription : NVC Scheduler
InternalName : NVCSched.exe
LegalCopyright : © Norman Data Defense Systems. 1997-2000
OriginalFilename : NVCSched.exe

#:26 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 192
ThreadCreationTime : 20-05-2005 22:13:08
BasePriority : Normal
FileVersion : 5.0.19
ProductVersion : 5.0.19
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:27 [igfxtray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1292
ThreadCreationTime : 20-05-2005 22:13:08
BasePriority : Normal
FileVersion : 3.0.0.3943
ProductVersion : 7.0.0.3943
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1384
ThreadCreationTime : 20-05-2005 22:13:08
BasePriority : Normal
FileVersion : 3.0.0.3943
ProductVersion : 7.0.0.3943
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2004, Intel Corporation
OriginalFilename : HKCMD.EXE

#:29 [mhotkey.exe]
FilePath : C:\WINDOWS\
ProcessID : 1532
ThreadCreationTime : 20-05-2005 22:13:09
BasePriority : Normal
FileVersion : 2, 2, 2, 0
ProductVersion : 2, 2, 2, 0
ProductName : Chicony Multimedia Driver
CompanyName : Chicony
FileDescription : Chicony Multimedia Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2001 Chicony
OriginalFilename : mHotkey.res

#:30 [zlh.exe]
FilePath : C:\Norman\bin\
ProcessID : 1580
ThreadCreationTime : 20-05-2005 22:13:09
BasePriority : Normal

#:31 [lxbabmgr.exe]
FilePath : C:\Programmer\Lexmark X5100 Series\
ProcessID : 1416
ThreadCreationTime : 20-05-2005 22:13:10
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X5100 Series Button Manager
InternalName : lxbabmgr.exe
LegalCopyright : © 2003 Lexmark International, Inc.
OriginalFilename : lxbabmgr.exe

#:32 [msnappau.exe]
FilePath : C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\
ProcessID : 1652
ThreadCreationTime : 20-05-2005 22:13:10
BasePriority : Normal

#:33 [lxbabmon.exe]
FilePath : C:\Programmer\Lexmark X5100 Series\
ProcessID : 1584
ThreadCreationTime : 20-05-2005 22:13:10
BasePriority : Normal
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark X5100 Series Button Monitor
InternalName : lxbabmon.exe
LegalCopyright : © 2003 Lexmark International, Inc.
OriginalFilename : lxbabmon.exe

#:34 [qttask.exe]
FilePath : C:\Programmer\QuickTime\
ProcessID : 1840
ThreadCreationTime : 20-05-2005 22:13:10
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:35 [nip.exe]
FilePath : C:\Norman\Nvc\BIN\
ProcessID : 2072
ThreadCreationTime : 20-05-2005 22:13:11
BasePriority : Normal

#:36 [npfmsg2.exe]
FilePath : C:\Norman\Nvc\BIN\
ProcessID : 2112
ThreadCreationTime : 20-05-2005 22:13:11
BasePriority : Normal
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 2, 0, 0
ProductName : NPFMessenger Application
FileDescription : NPFMessenger MFC Application
InternalName : NPFMessenger
LegalCopyright : Copyright © 2000
OriginalFilename : NPFMessenger.EXE

#:37 [aircfg.exe]
FilePath : C:\Programmer\D-Link\Air USB Utility\
ProcessID : 2204
ThreadCreationTime : 20-05-2005 22:13:17
BasePriority : Normal
FileVersion : 3, 1, 5, 30723
ProductVersion : 3, 1, 5, 30723
ProductName : Wireless LAN Monitor
CompanyName : D-Link
FileDescription : D-Link Wireless LAN Monitor
InternalName : WlanMonitor
LegalCopyright : Copyright 2002©, D-Link. All Rights Reserved.
LegalTrademarks : D-Link
OriginalFilename : WlanMon.EXE

#:38 [ituneshelper.exe]
FilePath : C:\Programmer\iTunes\
ProcessID : 2216
ThreadCreationTime : 20-05-2005 22:13:17
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:39 [realsched.exe]
FilePath : C:\Programmer\Fælles filer\Real\Update_OB\
ProcessID : 2248
ThreadCreationTime : 20-05-2005 22:13:17
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:40 [point32.exe]
FilePath : C:\Programmer\Microsoft IntelliPoint\
ProcessID : 2276
ThreadCreationTime : 20-05-2005 22:13:18
BasePriority : Normal

#:41 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2284
ThreadCreationTime : 20-05-2005 22:13:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:42 [skype.exe]
FilePath : C:\Programmer\Skype\Phone\
ProcessID : 2292
ThreadCreationTime : 20-05-2005 22:13:18
BasePriority : Normal

#:43 [wzqkpick.exe]
FilePath : C:\Programmer\WinZip\
ProcessID : 2316
ThreadCreationTime : 20-05-2005 22:13:18
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:44 [njeeves.exe]
FilePath : C:\Norman\bin\
ProcessID : 2472
ThreadCreationTime : 20-05-2005 22:13:39
BasePriority : Normal

#:45 [nipsvc.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 2508
ThreadCreationTime : 20-05-2005 22:13:39
BasePriority : Normal

#:46 [nvcoas.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 2540
ThreadCreationTime : 20-05-2005 22:13:39
BasePriority : Normal
FileVersion : 5, 3, 0, 1
ProductVersion : NVC forTerminal server beta
ProductName : NVC on-access scanner
CompanyName : Norman ASA
FileDescription : NVC on-access virus scanner
InternalName : NVCNT
LegalCopyright : Copyright © 2000-2001
OriginalFilename : NVCOAS.EXE

#:47 [ipodservice.exe]
FilePath : C:\Programmer\iPod\bin\
ProcessID : 2660
ThreadCreationTime : 20-05-2005 22:13:40
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:48 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2724
ThreadCreationTime : 20-05-2005 22:13:41
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:49 [cclaw.exe]
FilePath : C:\Norman\Nvc\bin\
ProcessID : 3152
ThreadCreationTime : 20-05-2005 22:13:47
BasePriority : Normal

#:50 [iexplore.exe]
FilePath : C:\Programmer\Internet Explorer\
ProcessID : 3396
ThreadCreationTime : 20-05-2005 22:15:58
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : IEXPLORE.EXE

#:51 [ad-aware.exe]
FilePath : C:\Programmer\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3876
ThreadCreationTime : 20-05-2005 22:32:54
BasePriority : Normal
FileVersion : 6.2.0.193
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WhenU Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wusn.1

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bolgerdll.bolgerdllobj.1

WhenU Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\whenusavemsg

WhenU Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

MRU List Object Recognized!
Location: : C:\Documents and Settings\Marc Schønwandt\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\player\recenturllist
Description : list of recently used web addresses in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\office\10.0\clip organizer\search\last query
Description : last query in microsoft clip organizer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : S-1-5-21-892889881-1979866731-2640209615-1006\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@hitbox[2].txt
Category : Data Miner
Comment : 19-05-2005 08:54:26
Value : Cookie:marc schø[email protected]/
Expires : 19-05-2006 08:55:06
LastSync : 19-05-2005 08:54:26
UseCount : 0
Hits : 28

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@mediaplex[1].txt
Category : Data Miner
Comment : 19-05-2005 08:50:20
Value : Cookie:marc schø[email protected]/
Expires : 22-06-2009 02:00:00
LastSync : 19-05-2005 08:50:20
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@maxserving[2].txt
Category : Data Miner
Comment : 20-05-2005 16:33:40
Value : Cookie:marc schø[email protected]/
Expires : 18-05-2015 16:34:22
LastSync : 20-05-2005 16:33:40
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@fastclick[2].txt
Category : Data Miner
Comment : 20-05-2005 22:12:50
Value : Cookie:marc schø[email protected]/
Expires : 20-05-2007 16:18:18
LastSync : 20-05-2005 22:12:50
UseCount : 0
Hits : 38

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@cgi-bin[2].txt
Category : Data Miner
Comment : 20-05-2005 16:00:56
Value : Cookie:marc schø[email protected]/cgi-bin
Expires : 28-02-2015 02:00:00
LastSync : 20-05-2005 16:00:56
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schø[email protected][2].txt
Category : Data Miner
Comment : 20-05-2005 16:35:26
Value : Cookie:marc schø[email protected]/
Expires : 19-06-2005 16:36:06
LastSync : 20-05-2005 16:35:26
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@advertising[1].txt
Category : Data Miner
Comment : 20-05-2005 16:35:26
Value : Cookie:marc schø[email protected]/
Expires : 19-05-2010 16:36:06
LastSync : 20-05-2005 16:35:26
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@tribalfusion[1].txt
Category : Data Miner
Comment : 18-05-2005 23:38:14
Value : Cookie:marc schø[email protected]/
Expires : 01-01-2038 02:00:00
LastSync : 18-05-2005 23:38:14
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schø[email protected][2].txt
Category : Data Miner
Comment : 18-05-2005 16:12:14
Value : Cookie:marc schø[email protected]/
Expires : 12-05-2024 20:07:28
LastSync : 18-05-2005 16:12:14
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@2o7[2].txt
Category : Data Miner
Comment : 19-05-2005 10:15:34
Value : Cookie:marc schø[email protected]/
Expires : 18-05-2010 10:16:12
LastSync : 19-05-2005 10:15:34
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schø[email protected][2].txt
Category : Data Miner
Comment : 19-05-2005 08:54:26
Value : Cookie:marc schø[email protected]/
Expires : 19-05-2006 08:55:06
LastSync : 19-05-2005 08:54:26
UseCount : 0
Hits : 38

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schø[email protected][1].txt
Category : Data Miner
Comment : 20-05-2005 16:17:40
Value : Cookie:marc schø[email protected]/
Expires : 20-05-2006 16:18:22
LastSync : 20-05-2005 16:17:40
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@doubleclick[2].txt
Category : Data Miner
Comment : 19-05-2005 08:51:10
Value : Cookie:marc schø[email protected]/
Expires : 18-05-2008 08:51:50
LastSync : 19-05-2005 08:51:10
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schø[email protected][1].txt
Category : Data Miner
Comment : 19-05-2005 08:49:18
Value : Cookie:marc schø[email protected]/
Expires : 18-06-2005 08:49:56
LastSync : 19-05-2005 08:49:18
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@cgi-bin[1].txt
Category : Data Miner
Comment : 20-05-2005 15:50:48
Value : Cookie:marc schø[email protected]/cgi-bin
Expires : 19-01-2009 01:00:00
LastSync : 20-05-2005 15:50:48
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : marc schønwandt@atdmt[1].txt
Category : Data Miner
Comment : 20-05-2005 15:50:48
Value : Cookie:marc schø[email protected]/
Expires : 19-05-2010 02:00:00
LastSync : 20-05-2005 15:50:48
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 16
Objects found so far: 55

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : system@hitbox[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\LocalService\Cookies\system@hitbox[1].txt

WhenU Object Recognized!
Type : File
Data : Save.exe
Category : Misc
Comment :
Object : C:\RECYCLER\S-1-5-21-892889881-1979866731-2640209615-1006\Dc18\
FileVersion : 2, 6, 4, 7
ProductVersion : 2, 6, 4, 7
ProductName : Save!
CompanyName : WhenU.com, Inc.
FileDescription : Save!
InternalName : WhenUSave
LegalCopyright : Copyright 2001
OriginalFilename : Save.exe

WhenU Object Recognized!
Type : File
Data : SaveUninst.exe
Category : Misc
Comment :
Object : C:\RECYCLER\S-1-5-21-892889881-1979866731-2640209615-1006\Dc18\
FileVersion : 2, 6, 4, 7
ProductVersion : 2, 6, 4, 7
ProductName : Save! Uninstall
CompanyName : WhenU.com, Inc.
FileDescription : Save! Uninstall
InternalName : SaveUninst
LegalCopyright : Copyright 2001
OriginalFilename : SaveUninst.exe

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 59

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WhenU Object Recognized!
Type : Folder
Category : Misc
Comment :
Object : C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\WhenU

WhenU Object Recognized!
Type : File
Data : Learn More About Save!.url
Category : Misc
Comment :
Object : C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\whenu\

WhenU Object Recognized!
Type : File
Data : Learn More About SaveNow.url
Category : Misc
Comment :
Object : C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\whenu\

WhenU Object Recognized!
Type : File
Data : WhenU.com Website.url
Category : Misc
Comment :
Object : C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\whenu\

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 64

00:44:35 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:26.203
Objects scanned:138650
Objects identified:29
Objects ignored:0
New critical objects:29

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:10:28, on 21-05-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programmer\security suite\ewidoctrl.exe
D:\Programmer\security suite\ewidoguard.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmer\WZCBDL Service\WZCBDLS.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Norman\bin\ZLH.EXE
C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe
C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe
C:\Programmer\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Norman\Nvc\BIN\npfmsg2.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Marc Schønwandt\Dokumenter\programmer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\01.02.4000.1001\da\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmer\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmer\MSN Apps\Updater\01.02.3000.1001\da\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmer\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Programmer\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmer\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemme...es/KvikFoto.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by12fd.bay12....ex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - D:\Programmer\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programmer\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programmer\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmer\Fælles filer\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Programmer\WZCBDL Service\WZCBDLS.exe

#13
g2i2r4

Posted 21 May 2005 - 04:43 AM

retired HiJack Helper

Retired Staff
5,080 posts

Did you reboot after removing the program Save?
Please remove WhenU from your computer:
This folder:
C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\whenu\

***

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Download VX2 Cleaner.
Install the VX2 Cleaner.
Start Ad-Aware
Go to “Add-ons”
Select VX2 Cleaner add-on and click “Run Tool”

You will see this window:
Posted Image

Select “Clean System”
Reboot the computer
Open Ad-Aware and update
Scan the computer using Ad-Aware
Remove VX2 objects that are found
Reboot the computer again
Scan again to be sure it's gone.

***

How are things now?

#14
gQgler

Posted 21 May 2005 - 05:22 AM

Member

Topic Starter
Member
16 posts

I can’t remember if I rebooted after removing the program Save, as you told me to remove earlier. The folder C:\Documents and Settings\Marc Schønwandt\Menuen Start\Programmer\whenu\ doesn’t exist.

Okay I did the CleanUP scan and logged off and on again.
I downloaded VX2 Cleaner and did what you said but when I press run tool, a different window appears, than the one you see. It says:
Status System Clean

Clean Close
--------------------------
Version 1.03

I Can't click on the "clean" buttom for some reason. Nothing happens if I try.
What do I do from here?

Edited by gQgler, 21 May 2005 - 05:32 AM.

#15
g2i2r4

Posted 21 May 2005 - 12:13 PM

retired HiJack Helper

Retired Staff
5,080 posts

That means that versions of VX2 is not found on your computer.

Check here on how to setup AdAware.
Then rerun AdAware and post the log again.
If you couldn't find the folder now, you didn't reboot after the uninstall. Maybe that why they are still in the log.