I've had some problem with illegal shortcuts on my desktop as internet shortcuts to different gambling zones etc. Each time I run 'procexp.exe' to manually remove some handles linked to the process ('iexplore.exe') and then kill the process itself. There are always 2 'iexplore.exe' that runs by the way. After this I can delete a folder that's been added without my permission called 'dvd 64 book lies dumb' that includes a system file and a .exe file with a random name. The folder places itself in c:\documents and settings\all users\applicatopn data\. I also delete a folder with a different name in c:\documents and settings\per\application data\ including a exe file that gets the same name each time this happens 'multi~noun.exe'. Finally I reboot.
Still, once in a while (sometimes several times a day) this problem comes back.
I'm desperate in getting help on how to get rid of this hijack once and for all.
I also add my latest hijack this log below. The log was generated AFTER doing the things described above.
All the best,
Per
Logfile of HijackThis v1.97.7
Scan saved at 16:03:05, on 2004-10-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Norton Internet Security\IAMAPP.EXE
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Delade filer\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Norton Internet Security\NISUM.EXE
C:\Program\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Palm\HOTSYNC.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Norton Internet Security\SymProxySvc.exe
C:\Program\Norton Internet Security\NISSERV.EXE
C:\Program\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Per\Skrivbord\hijackthis\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [iamapp] C:\Program\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [BlstApp] C:\WINDOWS\System32\BLSTAPP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: HotSync Manager.lnk = C:\Program\Palm\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://www.aftonbladet.se
O15 - Trusted Zone: http://www.ams.se
O15 - Trusted Zone: www.analog.com
O15 - Trusted Zone: http://www.comviq.se
O15 - Trusted Zone: www.expressen.se
O15 - Trusted Zone: http://www.miniclip.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.softube.se
O15 - Trusted Zone: www.svenskfotboll.se
O15 - Trusted Zone: www.telia.com
O15 - Trusted Zone: *.www.nt.se
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...f46b8ac2d5414a6
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1098637600328
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab