Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SpyAxe / Smitfraud-C trouble

Started by EricAX , Dec 05 2005 10:31 AM

  • Please log in to reply

#1
EricAX
Posted 05 December 2005 - 10:31 AM

EricAX

    Member

  • Member
  • PipPip
  • 24 posts
Hi,

Yesterday I got the SpyAxe stuff on my computer with all the associated symptoms described other places.

I have read some of the previous posts and performed some tasks that was suggested there, but it doesn't seem like I have got rid of everything. First I renamed and removed the svchosts.dll, but this didn't fix the problem. Then I have run the SmitRem and the SpyAxeFix as described in other threads. When finnished, my Ad-aware finds nothing, but I find something with Spybot that it says it is not able to fix. I get this message from Spybot: "Some problems couldn't be fixed; the reason could be that the associated files re still in use (in memory)". It continues to say that it may be fixed after a restart and I run the Spybot upon restart next time but exactly the same happens - cannot fix the problem.

The object I cannot fix is this one:
"HKEY_USERS\S-1-5-21-1606980848-746137067-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\free-spy-cam.net\*!=W04"

I also found one incident with the Panda Active scan that was not disinfected. (I manually removed this file later) This is the report from the Panda scan:

------------------------------------
Incident Status Location

Adware:adware/securityerror Not desinfected C:\Documents and Settings\Eier\Favoritter\Take It Here - Daily Updated [bleep] Links.url
------------------------------------

Have I fixed some of this problem? How can I get rid of the rest?

This is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:02:39, on 05.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\bin\ZANDA.EXE
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
C:\Programfiler\Norman\bin\NJEEVES.EXE
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\Programfiler\Norman\bin\ZLH.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpE647.tmp (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O15 - Trusted Zone: sf.anytime.com
O15 - Trusted Zone: *.sf-anytime.com
O15 - Trusted Zone: http://pub.tv2.no
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107615952093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133735888519
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Programfiler\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

By the way, here is my smitfiles log:


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Versjon 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Free XXX Sites List.url
Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp
logfiles


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:


And here is the SpyAxeFix log:


SpyAxeFix © by noahdfear


Microsoft Windows XP [Versjon 5.1.2600]




Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1392 'explorer.exe'
Killing PID 1392 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"




I hope you are able to help me and I look forward to your reply.

Edited by EricAX, 05 December 2005 - 10:39 AM.

  • 0

Advertisements

#2
njustice
Posted 08 December 2005 - 06:25 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
To help clean out Trusted Zones, download and run DELDOMAINS then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu.

  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hpE647.tmp (file missing)
    O4 - Global Startup: Free WebSite Tools.lnk = ?
    O15 - Trusted Zone: sf.anytime.com
    O15 - Trusted Zone: *.sf-anytime.com
    O15 - Trusted Zone: http://pub.tv2.no
    Close all browsers and windows, Click on Fix Checked when finished and exit HijackThis.
Reboot your computer

Post back a fresh HijackThis log and we will take another look.
  • 0

#3
EricAX
Posted 09 December 2005 - 05:04 PM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Dear Njustice,

Thank you for your reply.
As I said in my previous post, I thought I had gotten rid of the SpyAxe, but as I logged on my computer now, I had received 18 new critical objects. I have not used the PC for anything since my previous infection, but before I started the browser to check for replies to my previous post, I ran a scan with an updated Ad-Aware SE and it found 18 critical objects related to SpyAxe. I was very surprised, because - as I said - I have not used the PC since I got rid of it and a scan only showed the remaining smitfraud-C file. Anyway - before I proceeds to do as you have suggested, here is the log from the Ad-aware scan:

Does this mean that I was re-infected, or does it mean that I have had some stuff there all along that previous scans didn't recognice? Also, when starting up the PC, I got several warning messages from Ad-Watch about registry changes. I blocked them all, but do not feel assured that everything is fine....


Norman Ad-Aware SE Build 1.06r1
Logfile Created on:9. desember 2005 23:47:30
Using definitions file:SE1R79 09.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Malware.SpyAxe(TAC index:4):18 total references
MRU List(TAC index:0):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Norman Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Norman Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


09.12.2005 23:47:30 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Eier\Programdata\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1606980848-746137067-1343024091-1003\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 756
ThreadCreationTime : 09.12.2005 22:43:59
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 836
ThreadCreationTime : 09.12.2005 22:44:01
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 860
ThreadCreationTime : 09.12.2005 22:44:02
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 904
ThreadCreationTime : 09.12.2005 22:44:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Program for tjenester og kontroller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 916
ThreadCreationTime : 09.12.2005 22:44:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1060
ThreadCreationTime : 09.12.2005 22:44:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1164
ThreadCreationTime : 09.12.2005 22:44:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1212
ThreadCreationTime : 09.12.2005 22:44:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [s24evmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1296
ThreadCreationTime : 09.12.2005 22:44:05
BasePriority : Normal
FileVersion : 8, 0, 0, 161
ProductVersion : 8, 0, 0, 161
ProductName : Mobile Unit Support Service
CompanyName : Intel Corporation
FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters.
InternalName : S24EvMon
LegalCopyright : Copyright © 2001 - 2003 Intel Corporation, 1997 - 2001 Symbol Technologies, Inc. Portions Copyright © MIT
OriginalFilename : S24EvMon.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1364
ThreadCreationTime : 09.12.2005 22:44:05
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1396
ThreadCreationTime : 09.12.2005 22:44:05
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1816
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [photoshopelementsfileagent.exe]
FilePath : C:\Programfiler\Adobe\Photoshop Elements 3.0\
ProcessID : 1916
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal


#:14 [mdm.exe]
FilePath : C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\
ProcessID : 1976
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:15 [zanda.exe]
FilePath : C:\Programfiler\Norman\bin\
ProcessID : 2004
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal


#:16 [photoshopelementsdeviceconnect.exe]
FilePath : C:\Programfiler\Adobe\Photoshop Elements 3.0\
ProcessID : 164
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal


#:17 [regsrvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 212
ThreadCreationTime : 09.12.2005 22:44:06
BasePriority : Normal
FileVersion : 8, 0, 0, 161
ProductVersion : 8, 0, 0, 161
ProductName : RegSrvc Module
CompanyName : Intel Corporation
FileDescription : RegSrvc Module
InternalName : RegSrvc
LegalCopyright : Copyright © 2002 - 2003 Intel Corporation
OriginalFilename : RegSrvc.EXE

#:18 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 352
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:19 [pdsched.exe]
FilePath : C:\Programfiler\Raxco\PerfectDisk\
ProcessID : 448
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 7, 0, 0, 31
ProductVersion : 7, 0, 0, 31
ProductName : PDSched Module
CompanyName : Raxco Software, Inc.
FileDescription : PDSched Module
InternalName : PDSched
LegalCopyright : Copyright © 2004
OriginalFilename : PDSched.exe

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 636
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [nvcsched.exe]
FilePath : C:\Programfiler\Norman\Nvc\BIN\
ProcessID : 652
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 1.03
ProductVersion : 1.03
ProductName : Norman Virus Control
CompanyName : Norman Data Defense Systems
FileDescription : NVC Scheduler
InternalName : NVCSched.exe
LegalCopyright : © Norman Data Defense Systems. 1997-2000
OriginalFilename : NVCSched.exe

#:22 [nipsvc.exe]
FilePath : C:\Programfiler\Norman\Nvc\BIN\
ProcessID : 680
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal


#:23 [njeeves.exe]
FilePath : C:\Programfiler\Norman\bin\
ProcessID : 700
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal


#:24 [nvcoas.exe]
FilePath : C:\Programfiler\Norman\Nvc\bin\
ProcessID : 716
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 5, 3, 0, 1
ProductVersion : NVC v5.80
ProductName : Norman Virus Control
CompanyName : Norman ASA
FileDescription : NVC OnAccess virus scanner
InternalName : NVCOAS
LegalCopyright : Copyright © 2000-2005
OriginalFilename : NVCOAS.EXE

#:25 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 748
ThreadCreationTime : 09.12.2005 22:44:08
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:26 [zcfgsvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 340
ThreadCreationTime : 09.12.2005 22:44:41
BasePriority : Normal
FileVersion : 8, 0, 0, 161
ProductVersion : 8, 0, 0, 161
ProductName : ZeroCfgSvc Application
CompanyName : Intel Corporation
FileDescription : ZeroCfgSvc MFC Application
InternalName : ZeroCfgSvc
LegalCopyright : Copyright © 2002 - 2003 Intel Corporation
OriginalFilename : ZeroCfgSvc.EXE

#:27 [1xconfig.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1156
ThreadCreationTime : 09.12.2005 22:44:41
BasePriority : Normal
FileVersion : 8, 0, 0, 161
ProductVersion : 8, 0, 0, 161
ProductName : 8021XConfig Module
CompanyName : Intel
FileDescription : 8021XConfig Module
InternalName : 8021XConfig
LegalCopyright : Copyright 2003
OriginalFilename : 1XConfig.EXE
Comments : Wrapper for MH. (Service COM)

#:28 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2312
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Utforsker
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : EXPLORER.EXE

#:29 [pronomgr.exe]
FilePath : C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\
ProcessID : 2384
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 6.1.304.0
ProductVersion : 6.1.304.0
ProductName : Intel® Network Configuration Services
CompanyName : Intel® Corporation
FileDescription : PRONotifyMgr Module
InternalName : PRONotifyMgr
LegalCopyright : Copyright© 2001-2002 Intel Corporation
OriginalFilename : PRONoMgr.exe

#:30 [igfxtray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2392
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:31 [hkcmd.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2412
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 3.0.0.2209
ProductVersion : 7.0.0.2209
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:32 [syntplpr.exe]
FilePath : C:\Programfiler\Synaptics\SynTP\
ProcessID : 2420
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 7.5.13 19Jun03
ProductVersion : 7.5.13 19Jun03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2003
OriginalFilename : SynTPLpr.exe

#:33 [syntpenh.exe]
FilePath : C:\Programfiler\Synaptics\SynTP\
ProcessID : 2432
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 7.5.13 19Jun03
ProductVersion : 7.5.13 19Jun03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2003
OriginalFilename : SynTPEnh.exe

#:34 [launchap.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 2448
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : LaunchAp Application
FileDescription : LaunchAp MFC Application
InternalName : LaunchAp
LegalCopyright : Copyright © 2001
OriginalFilename : LaunchAp.EXE

#:35 [hotkeyapp.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 2456
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1, 0, 5, 4
ProductVersion : 1, 0, 5, 4
ProductName : Wistron HotkeyApp
CompanyName : Wistron
FileDescription : HotkeyApp
InternalName : HotkeyApp
LegalCopyright : Copyright c 2002
OriginalFilename : HotkeyApp.exe

#:36 [osd.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 2472
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : On Screen Display
CompanyName : Wistron
FileDescription : On Screen Display
InternalName : OSD
LegalCopyright : Copyright c 2002
OriginalFilename : OSD.exe

#:37 [wbutton.exe]
FilePath : C:\Program Files\Launch Manager\
ProcessID : 2484
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1, 0, 3, 7
ProductVersion : 1, 0, 3, 7
ProductName : WButton Application
FileDescription : WButton MFC Application
InternalName : WButton
LegalCopyright : Copyright © 2001
OriginalFilename : WButton.EXE

#:38 [avmanager.exe]
FilePath : C:\Programfiler\Wistron\AVManager\
ProcessID : 2496
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1, 1, 0, 9
ProductVersion : 1, 1, 0, 9
ProductName : Wistron AVManager
CompanyName : Wistron Corporation
FileDescription : AVManager
InternalName : AVManager
LegalCopyright : Copyright c 2002
OriginalFilename : AVManager.exe

#:39 [zlh.exe]
FilePath : C:\Programfiler\Norman\bin\
ProcessID : 2508
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal


#:40 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 2532
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
ProductVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:41 [ltmoh.exe]
FilePath : C:\Programfiler\ltmoh\
ProcessID : 2548
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 1.68
ProductVersion : 1.68
ProductName : LtMoh Application
CompanyName : Agere Systems
FileDescription : LtMoh MFC Application
InternalName : LtMoh
LegalCopyright : Agere Copyright © 2001-2002
LegalTrademarks : LT
OriginalFilename : LtMoh.EXE

#:42 [ituneshelper.exe]
FilePath : C:\Programfiler\iTunes\
ProcessID : 2560
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:43 [qttask.exe]
FilePath : C:\Programfiler\QuickTime\
ProcessID : 2584
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:44 [ad-watch.exe]
FilePath : C:\Programfiler\Norman\Norman Ad-Aware SE Plus\
ProcessID : 2604
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 3.1.2.17
ProductVersion : 3.2
ProductName : Ad-Aware SE
CompanyName : Norman
FileDescription : Ad-Watch System Protector
InternalName : Ad-Watch.exe
LegalCopyright : 1999-2004 Norman and/or its licensors
OriginalFilename : Ad-Watch.exe

#:45 [mmtask.exe]
FilePath : C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 2652
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 9.0.0.1
ProductVersion : 9.0.0.1
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch Inc.
FileDescription : <Musicmatch System Tray Application>
InternalName : mmtask.exe
LegalCopyright : © Musicmatch Inc.. All rights reserved.
OriginalFilename : mmtask.exe

#:46 [acrotray.exe]
FilePath : C:\Programfiler\Adobe\Acrobat 7.0\Distillr\
ProcessID : 2680
ThreadCreationTime : 09.12.2005 22:44:49
BasePriority : Normal
FileVersion : 7.0.1.2005092300
ProductVersion : 7.0.1.2005092300
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2005 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:47 [ipodservice.exe]
FilePath : C:\Programfiler\iPod\bin\
ProcessID : 2740
ThreadCreationTime : 09.12.2005 22:44:50
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:48 [nip.exe]
FilePath : C:\Programfiler\Norman\Nvc\BIN\
ProcessID : 3024
ThreadCreationTime : 09.12.2005 22:44:50
BasePriority : Normal


#:49 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3052
ThreadCreationTime : 09.12.2005 22:44:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:50 [cclaw.exe]
FilePath : C:\Programfiler\Norman\Nvc\bin\
ProcessID : 3120
ThreadCreationTime : 09.12.2005 22:44:50
BasePriority : Normal


#:51 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3568
ThreadCreationTime : 09.12.2005 22:44:53
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatiske oppdateringer
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : wuauclt.exe

#:52 [acrobat_sl.exe]
FilePath : C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\
ProcessID : 1508
ThreadCreationTime : 09.12.2005 22:44:56
BasePriority : Normal
FileVersion : 7.0.5.2005092300
ProductVersion : 7.0.5.2005092300
ProductName : Adobe Acrobat
CompanyName : Adobe Systems Incorporated
FileDescription : Adobe Acrobat SpeedLauncher
LegalCopyright : Copyright 1984-2005 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroSpeedLaunch.exe

#:53 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3420
ThreadCreationTime : 09.12.2005 22:45:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:54 [iexplore.exe]
FilePath : C:\Programfiler\Internet Explorer\
ProcessID : 2988
ThreadCreationTime : 09.12.2005 22:45:55
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : IEXPLORE.EXE

#:55 [iexplore.exe]
FilePath : C:\Programfiler\Internet Explorer\
ProcessID : 2996
ThreadCreationTime : 09.12.2005 22:45:55
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : IEXPLORE.EXE

#:56 [ad-aware.exe]
FilePath : C:\Programfiler\Norman\Norman Ad-Aware SE Plus\
ProcessID : 2288
ThreadCreationTime : 09.12.2005 22:47:05
BasePriority : Normal
FileVersion : 6.2.0.201
ProductVersion : 106r1
ProductName : Norman Ad-Aware SE
CompanyName : Norman
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Norman and/or its licensors
OriginalFilename : Ad-Aware.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0f68a8aa-a9a8-4711-be36-ae363efa6443}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{28420952-c82b-47d9-a042-fa2217d8a082}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3c099c83-8587-4b35-8af0-fc3a169ce14f}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3fe13f31-e890-4c37-8213-4b5f9a511c26}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4cad27dc-1b60-42f4-820e-316fe0a13512}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{54874d12-c0c6-44cc-83fb-2c35202f881b}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{54a3200b-d76e-48d1-b35c-d87eaf6d90bd}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{663dfe59-032c-46fb-a09a-ffc2dc074f54}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{69ce4fbc-4861-4206-8211-dd5a9ee79ad3}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{afa9056f-aa11-4771-ae01-04ecfde18206}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b8f2487f-aa6a-4914-9a3f-db84e6868d66}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e4645720-e02f-4bb2-8e6d-be7653dd1bf2}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fa46b160-c9dd-4040-b9d9-ccf5d3db5438}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fc1f0c2c-8117-427d-816c-215b68524f74}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fd1eee96-8dc7-478d-be3b-7d06ac67fb66}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{fd8e5ed7-0091-416f-a55b-1d072d58a24f}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1606980848-746137067-1343024091-1003\software\classes\clsid\{a2d9d3f0-8c2a-2a1d-a376-1becfb10ab72}

Malware.SpyAxe Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{a2d9d3f0-8c2a-2a1d-a376-1becfb10ab72}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 27


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 27




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27

23:57:32 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:02.176
Objects scanned:132251
Objects identified:18
Objects ignored:0
New critical objects:18
  • 0

#4
EricAX
Posted 09 December 2005 - 05:35 PM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

After removing the 18 critical objects that my Adaware-Se found (as described in my previous post), I proceeded as you suggested with the deldomains and the fix checked for the items you suggested in the Hijackthis log.

However, the three items starting with 015 - Trusted Zone .... did not exist any more. I guess these were allready taken care of by the deldomains before I ran the hijackthis. I checked the other two items. Anyway, I received an error message when I run the hijackthis fix checked. The message said that a copy of it was saved at my desktop, so I didn't write down what it said, but I couldn't find any files on my desktop. I think it said something about wrong or missing file or something like that.

Anyway, I rebooted my machine, and this is my fresh hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:19:45, on 10.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\bin\ZANDA.EXE
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\Programfiler\Norman\bin\ZLH.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://C:\Programfiler\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://C:\Programfiler\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd...b?1107615952093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1133735888519
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programfiler\Adobe\Photoshop

Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Programfiler\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA -

C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems -

C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner -

C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

Does my computer look clean now, or do I still have some stuff on it?

Another thing I was wondering about is a file in my cookies folder. I tried to delete all the files in this folder a couple of days ago, and it was one file that I could not delete. It was called index.DAT. Is this file harmful? Should I try to remove it, and if so - how can I do that?

I look forward to your reply, and thanks for your help so far.
  • 0

#5
njustice
Posted 09 December 2005 - 07:05 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
C:tazz:NGRATULATI:)NS! at last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future. Please do these steps as soon as possible if you haven't already.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm
d. Bugoff: http://www.majorgeek...wnload4308.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewa...nti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. See the links below:
a. ZoneAlarm
b. Kerio

7. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore.
a. Turn off system restore by right clicking on "My Computer" and go to "Properties"->"System Restore" and check the box for "Turn off System Restore". Click "Apply" and then "OK". Restart your computer. Reverse these steps and turn "System Restore" back on and create a new restore point.

8. Use GoogleToolbar - It's free, blocks popups and takes seconds to install. Use the toolbar without the advanced features enabled(check this during install), the toolbar is completely inert--it doesn't send any information to Google whatsoever as you surf.
a. GoogleToolbar

9. RegScrubXP 3.25 - Safely cleans junk out of the Windows. 2000/XP system registry. All changes made to the registry are fully restorable to it's original condition.
a. RegScrubXP 3.25

10. Online Virus Scans - Run these on a regular basis(I usually do about once a month or suspect a problem):
a. http://www.pandasoft...n_principal.htm
b. http://www.windowsec...com/trojanscan/
c. http://housecall.trendmicro.com/
d. http://www.bitdefend...can/licence.php

11. Alternative Browsers - Using an alternative browser other than IE will IMMENSELY reduce the risk of infection:
a. Firefox<==my #1 choice
b. Avant
c. Opera


Good luck, and thanks for coming to our forums for help with your security and malware issues
  • 0

#6
EricAX
Posted 10 December 2005 - 05:07 PM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

Thank you very much for your help.
Let's hope I never need it again.
  • 0

#7
EricAX
Posted 11 December 2005 - 05:02 AM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

I wonder if we still may have some problems that are connected to the infection.
My wife logged into her account and said she experienced some problems. When I got rid of the infection, I was in my user account - do I need to perform the same tasks in all accounts that is defined on the PC? Or should the cleanup work for all useres? (We also have a third "guest" account - so maybe I need to clean up that too?)

Anyway - my wife got an error message when she opened IE (she don't remember excatly what it was). She also complained that she couldn't get the drop-down window in the IE address bar to appear (to show recently visited URLs). I am also unable to enter some sites I usually visits. When I enter the URL (www.osloaikido.no), it takes me to msn.no instead. If I enter the same with http:// in front, it takes me to the correct site. What is the reason for this? How can I clean this up?

When I tried to run Microsoft Antispyware, I got an error message: Unexpectyed error; quitting. This I didn't get when I ran the same program from my account.
I also tried to run a scan with Housecall, but when I clicked to start the scan, all my browsers suddenly disappeared and nothing else happens. Could these problems be related to the SpyAxe/Smitfraud-c infection we recently had?

I also notice that IE and Mozilla browsers have different home pages, although I asked Mozilla to import from IE. (IE has msn.no while Mozilla has msn.com) Should this be a concern?

Anyway - here is a new hijackthis log from my wife's account. I'd appreciate it if you could have a look at it and tell us if anything is wrong:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:24, on 11.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\bin\ZANDA.EXE
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Programfiler\Norman\bin\NJEEVES.EXE
C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\Programfiler\Norman\bin\ZLH.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107615952093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133735888519
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Programfiler\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
  • 0

#8
EricAX
Posted 11 December 2005 - 06:01 AM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

Sorry for writing all this, but I suspect my PC is still not clean, and I don't know what information is important in order for you to be able to help me.

After the problems experienced in my wife's account (as described in the previous post), i logged off her account and logged into mine. Then I received a series of ad-watch alarms and spywareguard browser protection alert.

This is what I got when I logged into my account:

Ad-watch alarm:
An attempt to alter a protected object has been detected (Attempt to delete a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Value: Disable TaskMgr
Data: 0
New Data:

At the same time I received a spywareguard browser protection alert:
Warning! Your IE homepage has been changed!
Your Internet Explorer local machine has been changed from
http://www.osloaikid...norskindex.html
to
http://www.microsoft...pver={SUB_PVER}ar=home

I was asked to restore old value or keep new value, but I did not do anything.

I clicked "block" on the ad-watch alarm, and I received some more ad-watch alarms in succession, which I all blocked:

Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Run
Value: gcasServ
Data: C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
New Data:

I blocked this and a new alarm shows up:

Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Internet Explorer\Search
Value: Default_Search_URL
Data: http://www.microsoft...edir.dll?prd=iear=iesearch
New Data:

I blocked this to receive a new alarm:

Root: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Internet Explorer\Main
Value: Start Page
Data: http://www.microsoft...pver={SUB_PVER}ar=home

When I press "block" on this alarm, the whole screen goes flickering, and there is nothing I can do. I have to turn off the power and restart the PC this way.

When I start the PC again, I receive a new ad-watch alarm and the same spywareguard alert as the previous time. this time, I click on "restore old value" on the spywareguard alert.

I receive the following ad-watch alarm:

Root: HKEY_LOCAL_MACHINE
Key: Software\microsoft\Internet Explorer\Search
Value: Search Assistant
Data: http://www.google.com/ie
New Data: http://ie.search.msn...st/srchasst.htm

I blocked this and was able to continue starting up the PC.

I tried to scan for problems using some of my anti-malware tools. Ad-aware found nothing. Spybot found nothing. Microsoft AntiSpyware found nothing, but when I searched for updates to this software, I received an error message that I couldn't connect to the internet (I was already connected).

Anyway, are you able to figure out what is still causing problems on my computer?? In case this tells you something, here is my most recent hijackthis log (I expect this to be the same as the one in my previous post, because I haven't really done any changes, but this log is from my account whereas the other was from my wife's account:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:13, on 11.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\bin\ZANDA.EXE
C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
C:\Programfiler\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Programfiler\Wistron\AVManager\AVManager.exe
C:\Programfiler\Norman\bin\ZLH.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programfiler\ltmoh\Ltmoh.exe
C:\Programfiler\Norman\Nvc\BIN\NIP.EXE
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\Norman\Nvc\bin\cclaw.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programfiler\SpywareGuard\sgbhp.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osloaikid...norskindex.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programfiler\SpywareGuard\dlprotect.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AVManager] "C:\Programfiler\Wistron\AVManager\AVManager.exe"
O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programfiler\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programfiler\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Programfiler\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programfiler\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programfiler\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Programfiler\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Startup: SpywareGuard.lnk = C:\Programfiler\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programfiler\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programfiler\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107615952093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133735888519
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Programfiler\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

I hope you can still help me and I look forward to your reply.
  • 0

#9
EricAX
Posted 11 December 2005 - 10:10 AM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

I just ran an online scan from Symantec in order to find more informatin about what is wrong with my PC, and it found a trojan horse. This is the error message I got:

Virus Status: Infected!
Your computer is infected with at least one known threat.

56904 files scanned, 1 file(s) infected on your disk drives.

No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


C:\Documents and Settings\Eier\Lokale innstillinger\Temporary Internet Files\Content.IE5\6T8NE1A5\wbk6.tmp is infected with Download.Trojan

It further suggest that I should buy Norton's anti virus software in order to get rid of it. IS it possible to get rid of it without buying this software? Can you help me with this? (I have allready Norman antivirus program).

Do you think this Download.Trojan can be connected with the SpyAxe / Smitfraud-C infections I have had?

Norman did not find anything, but it found some files it could not parse or unpack. IS this something I should be worried about? This is what it says it could not parse or unpack:

C:\Programfiler\Fellesfiler\Java\Update\Base Images\ire1.5.0.b64\core3.zip: lib/security/local_policy.jar
C:\Programfiler\Fellesfiler\Java\Update\Base Images\ire1.5.0.b64\core3.zip: lib/security/US_export_policy.jar
C:\Program\Java\ire1.5.0_04\lib\security\local_policy.jar
C:\Program\Java\ire1.5.0_04\lib\security\US_export_policy.jar

Other than this, Norman does not detect anything.

I have tried to delete offline content in the temporary internet files, but I am not convinced that everything is fine.

I look forward to your advice on how to finally get rid of my infection.
  • 0

#10
njustice
Posted 12 December 2005 - 05:30 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello Eric...sorry for the long delay. Sometimes I have problems bringing up the site.

Let's start with the files Norman found....they are legit files.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot".
    • From the main Killbox Window, Select Options>>Delete on Reboot>>Process all in List
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\Documents and Settings\Eier\Lokale innstillinger\Temporary Internet Files\Content.IE5\6T8NE1A5\wbk6.tmp


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here.
  • 0

Advertisements

#11
EricAX
Posted 13 December 2005 - 01:00 AM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Dear njustice,

Thank you for your reply.
I am at work now, but I will do as you as soon as I get home. However, I just have one other question.
Is the file index.DAT that I have in my cookies folder a legit file or should I try to remove it? I see that none of the other user accounts have such a file, and I am not able to delete it or rename it. What do you suggest I do with it?

Anyway, I'll do the tasks you ask me to and post the result as soon as I get home.
  • 0

#12
EricAX
Posted 13 December 2005 - 04:13 PM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Dear njustice,

I have done what you suggested in your previous post.

I don't have a printer at home, and was asked to close all browsers before I ran CleanUp! so I didn't have the instructions in front of me. Therefore, I did slightly different from what you suggested, but I hope that does not make any big difference. At the end of the CleanUp! it said it had to reboot in order to clean up some files, and I said yes even though you suggested I say no. I hope this was not a big mistake??

I also did as you suggested with the Killbox, but I never got any pending operations promt.

Anyway, the active scan did not find anything. I did not find any scan log from activescan. If you need to see such a log: How can I produce one. Anyway, the activescan did not find anything (it did not find anything when I ran it yesterday either - before the CleanUp! and Killbox.

Anyway, I still experience some strange behaviour with my PC. I dont know if it helps you if I describe the symptoms, but this is what I experience (Please let me know if it is a wast of time writing all this):

- Maybe every second time I try to log on, I receive the series of Ad-Watch alarms about registry changes. These are exactly the same as I have described in a previous post. I always press "block" on these requests. What is actually happening here? When I log into my wife's account, I just get messages of reistry changes, but I am not asked to block or allow them. One time I could not get throug these alarms, and I was not able to block the one asking to change my homepage. I could not do open the start manu, and I had to turn off the power and log in again in order to get around it. Am I right when I assume that these attempt to change my registry indicate the my PC is still infected by something?

- One time when I logged on, Norman did not start and I got a warning message in my lower toolbar saying that my PC was at risk and that no firewall were activated. This time I restarted the PC through the start manu.

- One time I restarted I was not able to use Internet Explorer at all. IE said it couldn't open search page, althoug I could access the same site with Firefox. I restarted the PC. Other times I have entered urls in the addressbar, I noticed that my browser was "downloading from: C:\\WINDOWS\System32\shdoclc.dll\dnserror.htm", but nothing happened. What does this mean?

- I ran a Spy Sweeper sweep, and it found the following item: c:\documents and settings\eier\siste\spyaxe.lnk. It says I cannot remove this without a subscription, but when I look for the file, I cannot find it. Actually, I cannot even find the folder. (FYI: "siste" means last in Norwegian and "eier" means owner). (I find a folder "siste" under c:\documents and settings\Administrator that was created December 5., but this is empty). Since I cannot find the file, I cannot delete it manually either.

- I have had some problems with Microsoft AntiSpyware. On my wife's account I received a lot of error messages, and on my account it was not able to connect to the Internet to search for updates. I tried to uninstall the program, and I received some error messages that it was not able to unregister. When I tried to install it again, I received the same error messages, that it was not able to register. This is what I receive when I try to install Microsoft AntiSpyware again (I installed this software after I got first infected and it run well for many days, but these problems suddenly came up and has prevailed for a couple of days now):

Eror 1904.Module
C:\WINDOWS\System32\GCCollection.dll failed to register. HRESULT -2147220473. Contact your support personnel

I click OK and receive a second similar error message:

Eror 1904.Module C:\Programfiler\Microsoft AntiSpyware\GCCollection.dll failed to register. HRESULT -2147220473. Contact your support personnel

I click OK and receive a third error message:

Eror 1904.Module C:\Programfiler\Microsoft AntiSpyware\shellextension.dll failed to register. HRESULT -2147220473. Contact your support personnel

I click OK, and I receive message that installation is complete. (The last three times I reinstalled the software I received messages that I could not connect to the Internet when I searched for updates, but this time this actually seemed to work. Anyway - I received some error mesages about registration, so I suspect that something is wrong).

Apart from this, the PC has gotten extremely slow - especially when starting IE explorer and windows explorer etc. I guess this doesn't necessarily mean something is wrong and might be because of all the protection stuff I now have running?

Anyway - this is getting really frustrating. I have tried one and a half week now to get rid of the stuff I assume is on my PC and I can't use my PC for anything else than looking for viruses and spyware. I really hope you are able to help me out with this one and I really appreciate the time and effort you put into helping me. I look forward to your reply, and please let me know what information you need in order to understand what is wrong and what I can do to clean up my PC.
  • 0

#13
EricAX
Posted 14 December 2005 - 02:53 PM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi again,

I am experiencing some more problems I thought it would be useful for you to know:

I now suddenly have problems running Microsoft Office Outlook. When I click on the shortcut on the desktop (that I use every day), it starts to install Office 2003. I don't know why it starts installing it, since I have never uninstalled it. Are there some viruses that uninstalls stuff on my PC??
I received the following error messages during the installation:

Installation Error: File not Found. A required installation file SKU011.CAB could not be found.

and

Error 2203.
An Internal error has occured. (C:\WINDOWS\Installer\394a76.ipi -2147287035). Contact your Information TEchnology department for assistance.

and

An error occured and this feature is no longer functioning properly. Would you like to repair this feature now?

I don't know what this will do, so I click "No". I receive the following message:

Microsoft Office Outlook has not been installed for the current user. Please run setup to install the application.

Do I have something on my computer that deletes my file?? What has happened?? I always use Outlook for this user, and this is the first time I have any problems like this. I suspect it has something to do with the infection I got. Please help!

Regarding the alarms I get from Ad-aware when I start up, the SpywareGuard gives a little more information. In case this helps you in finding out what is wrong:
--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 20:28:04 12.14.2005 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Start Page
Old Value: http://www.osloaikid...norskindex.html
New Value: http://www.microsoft...B_PVER}&ar=home
User Action Taken: RESTORE OLD VALUE

I have also been in the task manager to see what processes are running, but as I am illiterate when it comes to computers, it doesn't tell me much. Anyway, I see that a process Nvocas.exe was using CPU when I had some problems. I searched google for this but couldn't find anything. Do you know if this is a legit process??

Anyway, I really hope you are able to help me, and I am really starting to be worried if it turns out I have something that deletes my files. I look forward to your reply.

Edit: I just tried to run Microsoft Office Word and Excel. Same thing happens. Nothing works anymore. I used Word just a couple of hours ago!! What is going on?? Please help!

Edited by EricAX, 14 December 2005 - 03:05 PM.

  • 0

#14
njustice
Posted 14 December 2005 - 05:32 PM

njustice

    Member

  • Member
  • PipPipPip
  • 521 posts
Hello, quite a sea of information to go thru, but please be patient and we'll get you thru this.


The index.dat file is legit. The office and OE errors could be from many sources. Are you running two anti-virus programs? Reason I ask is I don't recoginze AVManager. If you have more than one anti-virus installed please uninstall one as this can cause many problems with your computer.


I need you to log in to each account on your computer and perform the following:

Create a Startup List[/u]
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

Please separate each log and label them according to account name.
  • 0

#15
EricAX
Posted 15 December 2005 - 12:49 AM

EricAX

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks for the advice. I'll do what you advice when I get home and I will post the results. Just to answer your question about the anti-virus program / AVManager:
I am a little confused as to what is anti-virus and what is anti-spyware etc... I have run a number of different scans, but the rpograms I have got running is usually Norman Anti-Virus and Norman Ad-watch (yesterday I noticed that the Norman anti-virus program did not run when I logged into the "guest"-account). After this infection I have also been running Microsoft AntiSpyware, SpywareBlaster, SpywareGuard and the trial version of SpySweeper. I have also run scans withNorman Ad-aware, Spybot S&D and Panda online activescan etc, but I don't think any of these run in the background?? I have no idea what a AVManager is??

I would appreciate it if you would give me advice of which programs to run and which I should not run together. My PC has been extremely slow lately, so if I can drop some of the programs without loosing considerable security, that would be great. What would you recommend I need to run in addition to Norman anti-virus and Norman Ad-watch? Also, this situation seems to worsen - I have been using office for days since the infection and suddenly it fails - do you recommend that I don't use the PC until I have solved the problem? Is there any chance that things will get worse from normal usage of the PC until I have solved this? Please advice. I have a lot of things I need to do, so I hope this is possible, but I don't want to do it if there is a chance I will make things worse.

Anyway, I'll post the startup logs as soon as I have them. Thanks again.

Edit:

Ok, now I am home and I have created the startup lists. They are rather extensive, so I include them as atachements instead of in the post.
There are three user accounts on the PC as you can see, and since it is in Norwegian, I'll just give you some translations:
"Gjest" means "Guest" and is the guest-account witch has no passaword.
"Eier" means "Owner" and this account has administrative rights.

When I created the first startuplist (for Gjest) I received the following error message from HijackThis:
"Unexpected error occurred!
Error #52 (Bad file name or number) in Sub EnumJOBs().

Please send a report to [email protected], mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard."

When I logged off from the second account, some Microsoft updates were installed, which I guess were in effect when I created the third list from the Eier account. Anyway, attached are the three lists.

Attached Files


Edited by EricAX, 15 December 2005 - 10:03 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP