Spyware Warrior

[jjraula]

I've followed the discussion about IP address 227.4.167.117 that is controlling my computer. Before running HijackThis, I ran Ad-Aware. This is a log file with HijackThis. Which files should i remove?

Logfile of HijackThis v1.99.1
Scan saved at 12:42:32, on 8.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\Norman\bin\niu.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp964A.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: bw+0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Thank's for your help!

[bob4]

Hello and welcome to the spyware warrior forums.

I will be more than happy to help you work on your problems. Please give me some time to review your log as this can be a lengthy process. I will be back with you as soon as I can. As I am an undergrad my answers will be checked by an expert before I post back.

In the meantime
The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of people power.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[bob4]

Looks like you've been infected with Spyware Quake

Please do not delete anything unless instructed to.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!




Download smitRem.exe ©noahdfear, and save the file to your desktop.


Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.



Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of
ewido anti-malware

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download roguescanfix.exe, and save it to your desktop.
Double click roguescanfix.exe to install it. We will use this tool later.

Next, boot into Safe Mode. To do this:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open the smitRem folder on your desktop




Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Next, open the roguescanfix folder, and double-click run.bat.
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till te message "Completed script execution" appear, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall".


Next, Run Ewido:

• Click on scanner
  
• Click on Complete System Scan and the scan will begin.
  
• While the scan is in progress you will be prompted to clean files, click OK
  
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  
• Click Save report.
  
• Save the report .txt file to your desktop.
  

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button.
  
• A new window will open...click the Check Now button.
  
  
  • Enter your Country
    
  • Enter your State/Province
    
  • Enter your e-mail address and click send
    
  • Select either Home User or Company
    
  • Click the big Scan Now button
    
  
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When the download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

Bob4, thank you for your fast reply and help. I followed your instructions precisely and found no problems. Now, everything is ok and spyware quake seems to be history. Here are the log lists your requested. Thanks once more!

Panda scan report:

Incident Status Location

Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\dfrgsrv.exe
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Janne\Suosikit\Antivirus Test Online.url
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\Janne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv669.jar-72b8a91-214d7019.zip[Matrix.class]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Janne\Työpöytä\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Janne\Työpöytä\smitRem.exe[Process.exe]

New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 0:17:39, on 11.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Norman\bin\niu.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpD418.tmp (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SpywareQuake] C:\Program Files\SpywareQuake\SpywareQuake.exe /h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bw+0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {87843058-83BA-417D-B4A0-0DE0FC4A16F4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


smitfiles.txt:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [versio 5.1.2600]

Running from
C:\Documents and Settings\Janne\Ty”p”yt„\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 736 'explorer.exe'
Killing PID 736 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!


Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:46:45, 10.4.2006
+ Report-Checksum: B75CF203

+ Scan result:

:mozilla.12:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Janne\Application Data\Netscape\NSB\Profiles\5oanml43\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Janne\Cookies\janne@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Janne\Cookies\janne@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Janne\Cookies\janne@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Janne\Cookies\janne@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup


::Report End

[bob4]

Go to start/control panel/ add remove progams
and uninstall
Logitech Desktop Messenger

Download roguescanfix from here:
http://www.martijnc.be/tools/roguescanfix.exe
Save it to your desktop

Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat.
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till the message "Completed script execution" appear, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller; after that click uninstall.

Post a new Hijackthis log.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

-Click "OK" to start the SpywareQuake/Spyfalcon uninstaller; after that click uninstall.-

I couldn't find that or nothing came up after exiting BFU. What I should do?

[bob4]

I will need an uninstall list .
Open hJT/select mics tools/
click on uninstall manager/ then save list.

Post that back with another HJT log.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

This is the uninstall file:

Ad-Aware SE Personal
Adobe Photoshop Album 2.0
Adobe Photoshop Elements 2.0
Adobe Reader 7.0
Aerosol Instrument Manager
ArcSoft PhotoStudio 5.5
Athlon 64 Processor Driver
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
DVD Shrink 3.2
ewido anti-malware
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
InterActual Player
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_03
Logitech MouseWare 9.80
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Finnish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AutoRoute v11.0
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Office Professional Edition 2003
Microsoft Picture It! Photo Standard 9
Microsoft Works
Microsoft Works 2004 Osien valitseminen
Microsoft Works Suiten Microsoft Word -lisäosan
Nero OEM
NeroVision Express 2
Netscape Browser (remove only)
Norman Internet Control
O2Micro MemoryCardBus Windows Driver
Panda ActiveScan
Päivitys Windows XP:lle (KB894391)
Päivitys Windows XP:lle (KB896727)
Päivitys Windows XP:lle (KB898461)
Päivitys Windows XP:lle (KB910437)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Smart Link 56K Modem
Suojauspäivitys Windows Media Player 9:lle (KB911565)
Suojauspäivitys Windows Media Playerille (KB911564)
Suojauspäivitys Windows XP:lle (KB883939)
Suojauspäivitys Windows XP:lle (KB890046)
Suojauspäivitys Windows XP:lle (KB893756)
Suojauspäivitys Windows XP:lle (KB896358)
Suojauspäivitys Windows XP:lle (KB896422)
Suojauspäivitys Windows XP:lle (KB896423)
Suojauspäivitys Windows XP:lle (KB896424)
Suojauspäivitys Windows XP:lle (KB896428)
Suojauspäivitys Windows XP:lle (KB896688)
Suojauspäivitys Windows XP:lle (KB899587)
Suojauspäivitys Windows XP:lle (KB899588)
Suojauspäivitys Windows XP:lle (KB899591)
Suojauspäivitys Windows XP:lle (KB900725)
Suojauspäivitys Windows XP:lle (KB901017)
Suojauspäivitys Windows XP:lle (KB901214)
Suojauspäivitys Windows XP:lle (KB902400)
Suojauspäivitys Windows XP:lle (KB903235)
Suojauspäivitys Windows XP:lle (KB904706)
Suojauspäivitys Windows XP:lle (KB905414)
Suojauspäivitys Windows XP:lle (KB905749)
Suojauspäivitys Windows XP:lle (KB905915)
Suojauspäivitys Windows XP:lle (KB908519)
Suojauspäivitys Windows XP:lle (KB911927)
Suojauspäivitys Windows XP:lle (KB912919)
Suojauspäivitys Windows XP:lle (KB913446)
Synaptics Pointing Device Driver
TypingMaster Pro
VIA Audio Driver Setup Program
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Toolbar



This is new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:06:52, on 14.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\bin\niu.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Janne\Omat tiedostot\Janne\spywarewarriors_bob4\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fimnet.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpD418.tmp (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[bob4]

Posting this:

Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the F8 key untill prompted with a list choose safe mode

Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpD418.tmp (file missing)
Please note: the line can be hpxxxx.tmp where xxxx is a bunch of random alphanumerics. This can change slightly after a reboot in some cases. So any line that has hpxxxx.tmp is bad

Search for and remove
Now I want you to search for and delete the following file if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Just delete what I have marked in BOLD

C:\WINDOWS\system32\hpD418.tmp
Please note: the file can change..Notice the file we are looking for matched the 02 line I am asking you to fix. So if the line changes so will the file. It very possibly is gone. Just want to be sure.


Post another log for me please.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

Ok, done. I didn't find hpD418.tmp.

Here's a new HJT log list:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:48, on 15.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Janne\Omat tiedostot\Janne\spywarewarriors_bob4\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fimnet.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpD418.tmp (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[bob4]

That darn 02 line is still there. But we will get it. Something may be protecting it.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Do not use any other options untill I ask.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

SmitFraudFix v2.31

Scan done at 8:56:50.71, su 16.04.2006
Run from C:\Documents and Settings\Janne\Ty”p”yt„\SmitfraudFix
OS: Microsoft Windows XP [versio 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Janne\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Nykyinen kotisivu"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[bob4]

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

Hit I accept. It will take you to download page.

Download blbeta.exe and save it to the Desktop.

Once saved... move blbeta.exe to C:\ - Local Disk (C)
You can do this by going to My Computer then double click on C:.
Locate blbeta.exe and right click on it, select cut, right click an empty space in the folder you just did open and select paste.

Click Start, then Run and paste the following in the edit box : C:\blbeta.exe /expert and hit Enter (or click Ok)

Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.

If it displays any items...don't do anything with them yet. Just hit exit (close)

It will drop a log on the Desktop or in the C:\ folder that starts with fsbl....big number
Please post contents of log.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

Here's the log:

04/16/06 20:55:49 [Info]: BlackLight Engine 1.0.35 initialized
04/16/06 20:55:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/16/06 20:55:50 [Note]: 7019 4
04/16/06 20:55:50 [Note]: 7005 0
04/16/06 20:55:53 [Note]: 7006 0
04/16/06 20:55:53 [Note]: 7011 1340
04/16/06 20:55:53 [Note]: 7026 0
04/16/06 20:55:53 [Note]: 7026 0
04/16/06 20:55:53 [Note]: FSRAW library version 1.7.1015
04/16/06 20:57:13 [Note]: 7007 0

[bob4]

Your Java is outdated a a security risk .
Go to add remove programs and uninstall Java runtime.
Now we need to update it.

Please go to :
http://www.java.com/en/download/manual.jsp ?
download and install the new version.

HJT
Run HJT and place a check mark by the following lines:
Be sure to close all other windows and browsers BEFORE clicking on fix checked.

O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpD418.tmp (file missing)


Post a new HJT log please. Done with windows running in normal mode. Not safe mode.

Let me know how things seem to be running now.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

New Java downloaded. Seems that my browser is working faster than before! Here's the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 23:24:11, on 17.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Npf\BIN\npfmsg2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Janne\Omat tiedostot\Janne\spywarewarriors_bob4\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fimnet.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[bob4]

Please go to Add/remove for "J2SE Environment version 4" java and uninstall it.
There should only be "J2SE Environment version 5" showing. Just let me know how that goes.

Great news !.

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.


Clean up
Download ccleaner
Install this tool.

Open
.when it first opens go to
options..Slide the bar to standard cleanup.
then if you do not want to type in passwords for sites and such again
uncheck delete cookies.also
This is at your option
uncheck news group subscriptions
This you should check
check fully erase ( wipe clean.)
press OKthen
Cleanup!

Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK

A few things to help with possible threats


SpywareBlaster

[b]Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.

Download and keep these updated and run weekly


Adaware
Tutorial

spybot seach & destroy

[jjraula]

What happened to Windows XP graphics? I cleaned up and after that the notice said that some of the 'things' (i don't remember) might not work properly in XP and I should install Service Pack II. I don't have the disk for SPII. Well, I ignored that and followed your instructions 'create a 'clean' System Restore Point'. After reboot, I unchecked system restore -> apply -> ok. But the graphics is still very lousy and, for instance, in IE there isn't any toolbar, only for address. What should i do? Format the hard disk? Use the recovery disk for XP provided by Fujitsu?

[bob4]

First I am sorry you are having problems . I will not bail on you.

You can check to be sure that SP2 is still installed:
Right click MY computer then propeties.. and look in the general tab. This should show something like :

System:

Micrsoft home or professional

Version XXXX

service pack 2


******************************

go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

********************************


Tool bars
Try right clicking on the top where the tools you can see are in a blank area. This will bring up a pull down menu. See if a few things there are unchecked and check them and see if your toolbars come back.


***********************************
Would you please explain a little more on the graphics issue your describing. Or is it mosly Internet explorer is acting funny. Missing tool bars and such? I'm just not completly clear on what you mean by XP graphics. Has the desktop changed?

*************************************

Nothing is done to any settings when we create a new restore point. Alls this does is remove restore points that have the infections in them we removed. If you were to use system restore without cleaning it out you would replace all the infections.

You may go to this site and order a CD . it is an important item to have.
http://www.microsoft.com/windowsxp/sp2/default.mspx
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[bob4]

jjraula,
Have you had time to try any of this?
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

Yes, i tried those but something is wrong. XP is running and i think i still have SP2. And i didn't have this 'Security Info'. Some examples that do not work properly:

- Start at the screen bottom does not show up properly. For instance Start button is missing. I right-clicked and tried to get it back but nothing happened. When using IE, the page label does not appear at the display bottom. I checked that all the related options were selected but...

- In the File Manager the folder and file images are missing. I'm not able to open digital photos. It seems that some of the programs or its components are not working.

- I tried to change the desktop image in Display settings, nothing happened.

- In Internet Explorer the toolbar contains only few items like Previous, Find, Favorites, and that's all. I tried many times to change options by right-clicking and selecting items. No response.

- The graphics of the Shortcuts on the desktop have undefined white boundaries (im not able to describe better)

- In many cases it says that 'cannot open a certain application because that part is missing...' etc.

It seems that i cleaned up too well... I have a recovery disk of Windows XP Home Edition-SP2 that came along with the computer when i bought it.

[bob4]

Can you tell me what part of the clean up process you were running when you got the notice about some things may not work right ?
Were you able to get tool bars back on Internet explorer?

Open HJT
Click on Misc tools section.
OPen Uninstall manager
Click on save list.
Save it to your desk top
and post the contents of that log in your next reply along with a new HJT log.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[bob4]

Copy the contents in the box.

[jjraula]

I dont have that START down left, so it took time to search for Command Prompt. You have to understand that i have almost all texts in finnish and sometimes the translation is not straighforward.

I used your command line but it said two times 'File not found' and one time 'Defined program can not be run'. These are my translations. Then i added command by command and see the result below.

Here's some translated texts to aid you...

Tiedostoa ei loydy = File not found
Maaritettya ohjelmaa ei voi suorittaa = Defined program can not be run
Aseman C nimi on 25-11-42 = Name of drive C
Aseman sarjanumero on A001-C1F7 = Serie number of drive
Kansio = Folder
tiedosto = File
tavua = Bytes
tavua vapaana =Bytes free
Tiedostoja yhteensä = Files total


C:\Documents and Settings\Janne>cmd
Microsoft Windows XP [versio 5.1.2600]
(C) Copyright 1985 - 2001 Microsoft Corp.

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s >>c:\output.txt & dir c:\windows\re
sources\themes /s /a:s >>c:\output.txt & notepad c:\output.txt
Tiedostoa ei löydy.
Tiedostoa ei löydy.
Määritettyä ohjelmaa ei voi suorittaa.

C:\Documents and Settings\Janne>dir
Aseman C nimi on 25-11-42
Aseman sarjanumero on A001-C1F7

Kansio C:\Documents and Settings\Janne

31.12.2004 11:10 <KANSIO> .
31.12.2004 11:10 <KANSIO> ..
07.04.2006 20:05 <KANSIO> Käynnistä-valikko
20.04.2006 21:06 <KANSIO> Omat tiedostot
22.04.2006 11:32 <KANSIO> Suosikit
20.04.2006 20:50 <KANSIO> Työpöytä
06.12.2004 06:24 <KANSIO> WINDOWS
0 tiedosto(a) 0 tavua
7 kansio(ta) 27 799 162 880 tavua vapaana

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s
Aseman C nimi on 25-11-42
Aseman sarjanumero on A001-C1F7

Kansio c:\windows\resources\themes

01.10.2004 02:26 <KANSIO> .
01.10.2004 02:26 <KANSIO> ..
19.04.2006 07:53 <KANSIO> Luna
15.09.2004 15:00 1 222 Luna.theme
15.09.2004 15:00 3 025 Windows Classic.theme
2 tiedosto(a) 4 247 tavua

Kansio c:\windows\resources\themes\Luna

19.04.2006 07:53 <KANSIO> .
19.04.2006 07:53 <KANSIO> ..
15.09.2004 15:00 4 190 352 luna.msstyles
01.10.2004 02:26 <KANSIO> Shell
1 tiedosto(a) 4 190 352 tavua

Kansio c:\windows\resources\themes\Luna\Shell

01.10.2004 02:26 <KANSIO> .
01.10.2004 02:26 <KANSIO> ..
01.10.2004 02:26 <KANSIO> Homestead
01.10.2004 02:26 <KANSIO> Metallic
01.10.2004 02:26 <KANSIO> NormalColor
0 tiedosto(a) 0 tavua

Kansio c:\windows\resources\themes\Luna\Shell\Homestead

01.10.2004 02:26 <KANSIO> .
01.10.2004 02:26 <KANSIO> ..
15.09.2004 15:00 362 496 shellstyle.dll
1 tiedosto(a) 362 496 tavua

Kansio c:\windows\resources\themes\Luna\Shell\Metallic

01.10.2004 02:26 <KANSIO> .
01.10.2004 02:26 <KANSIO> ..
15.09.2004 15:00 362 496 shellstyle.dll
1 tiedosto(a) 362 496 tavua

Kansio c:\windows\resources\themes\Luna\Shell\NormalColor

01.10.2004 02:26 <KANSIO> .
01.10.2004 02:26 <KANSIO> ..
15.09.2004 15:00 361 472 shellstyle.dll
1 tiedosto(a) 361 472 tavua

Tiedostoja yhteensä:
6 tiedosto(a) 5 281 063 tavua
17 kansio(ta) 27 799 162 880 tavua vapaana

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s
Aseman C nimi on 25-11-42
Aseman sarjanumero on A001-C1F7
Tiedostoa ei löydy.

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s >>c:\output.txt
Tiedostoa ei löydy.

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s >>c:\output.txt & dir c:\windows\re
sources\themes /s /a:s
Tiedostoa ei löydy.
Aseman C nimi on 25-11-42
Aseman sarjanumero on A001-C1F7
Tiedostoa ei löydy.

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s >>c:\output.txt & dir c:\windows\re
sources\themes /s /a:s >>c:\output.txt & notepad
Tiedostoa ei löydy.
Tiedostoa ei löydy.
Määritettyä ohjelmaa ei voi suorittaa.

C:\Documents and Settings\Janne>dir c:\windows\resources\themes /s >>c:\output.t
xt & dir c:\windows\resources\themes /a:h /s >>c:\output.txt & dir c:\windows\re
sources\themes /s /a:s >>c:\output.txt & notepad c:\output.txt
Tiedostoa ei löydy.
Tiedostoa ei löydy.
Määritettyä ohjelmaa ei voi suorittaa.

C:\Documents and Settings\Janne>

[jjraula]

Please, read this before my previous reply. I did not realize that you had sent me two messages. So i read your earlier mail and did all you said. However, im not able to open both the uninstall and the HJT log file (It says that the program is faulty and the reinstallisation may fix it). After that i run Command Prompt and added the line in your latest mail. The same answer: two File not found and one time Defined program cannot be run.

I did not get toolbars back in IE.

Referring to your earlier mail. AdAware is not working (It says that the program is faulty and the reinstallisation may fix it). It used to run nicely. I tried to download it again on web but the computer did not do that. Web page thanked downloading but i did not get any program. The same happened with other programs you suggested to download.

Many applications like Adobe and Nescape do not open (It says that the program is faulty and the reinstallisation may fix it). Security Info Center does not open. Some of the components are missing...

[bob4]

Navigate to:

C:\windows\resources\Themes\Luna and then double click on luna.msstyles

See if that helps.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

No.

It is not just styles. Some applications do not work.

[bob4]

Hello again,
Lets try this:

Go to this site and read the instuctions for using this program.
http://officerecovery.com/freeundelete/product_information.htm#properusage

Once you read that (it's a short read)

Download the program to a flash drive if you have one.


Important

Save the exe file to a flash drive or another hard drive..Do not use C:/ to install it. If you can help it.

Install and run this program... when installing use the appropiat letter that corrosponds to your flash drive ot another Hard dive and run from there..


I want you to try and take a screen shot of what it lists.
Do this by hitting Alt/print screen: Then open a new word document and paste it in there.
\
Now for the program:
Try to undelete everything thats was deleted since the day you ran the clean up portion of the fix. Do this by looking at the dates.
The date I posted the all clean speech was April 17th.So try and undelete things on or about that day.

Then try and reinstall the programs that aren't working correctly.

Lemme know if that helps. I have a few really good experts trying to help me sort this out.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

Bob4, I already discussed with some experts, too. They advised that if i have the recovery disk, i just should use it. And i did so. All suddenly came back and everything runs nicely. I had some problems with my internet connection but now it's working with no problems. These experts have had similar problems after running CleanUp. So, it is not unusual... However, thanks very much for your kind help. I'm going to download all the anti-spyware programs you suggested and keep them updated and run frequently. Is there still something you want me to do?

Here are the latest uninstall and HJT log files before reinstallization:

Uninstall:
Ad-Aware SE Personal
Adobe Photoshop Album 2.0
Adobe Photoshop Elements 2.0
Adobe Reader 7.0
Aerosol Instrument Manager
ArcSoft PhotoStudio 5.5
Athlon 64 Processor Driver
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CleanUp!
DVD Shrink 3.2
ewido anti-malware
Google Desktop Search
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
InterActual Player
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Logitech MouseWare 9.80
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Finnish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AutoRoute v11.0
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Office Professional Edition 2003
Microsoft Picture It! Photo Standard 9
Microsoft Works
Microsoft Works 2004 Osien valitseminen
Microsoft Works Suiten Microsoft Word -lisäosan
Nero OEM
NeroVision Express 2
Netscape Browser (remove only)
Norman Internet Control
O2Micro MemoryCardBus Windows Driver
Panda ActiveScan
Päivitys Windows XP:lle (KB894391)
Päivitys Windows XP:lle (KB896727)
Päivitys Windows XP:lle (KB898461)
Päivitys Windows XP:lle (KB910437)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Smart Link 56K Modem
Suojauspäivitys Windows Media Player 9:lle (KB911565)
Suojauspäivitys Windows Media Playerille (KB911564)
Suojauspäivitys Windows XP:lle (KB883939)
Suojauspäivitys Windows XP:lle (KB890046)
Suojauspäivitys Windows XP:lle (KB893756)
Suojauspäivitys Windows XP:lle (KB896358)
Suojauspäivitys Windows XP:lle (KB896422)
Suojauspäivitys Windows XP:lle (KB896423)
Suojauspäivitys Windows XP:lle (KB896424)
Suojauspäivitys Windows XP:lle (KB896428)
Suojauspäivitys Windows XP:lle (KB896688)
Suojauspäivitys Windows XP:lle (KB899587)
Suojauspäivitys Windows XP:lle (KB899588)
Suojauspäivitys Windows XP:lle (KB899591)
Suojauspäivitys Windows XP:lle (KB900725)
Suojauspäivitys Windows XP:lle (KB901017)
Suojauspäivitys Windows XP:lle (KB901214)
Suojauspäivitys Windows XP:lle (KB902400)
Suojauspäivitys Windows XP:lle (KB903235)
Suojauspäivitys Windows XP:lle (KB904706)
Suojauspäivitys Windows XP:lle (KB905414)
Suojauspäivitys Windows XP:lle (KB905749)
Suojauspäivitys Windows XP:lle (KB905915)
Suojauspäivitys Windows XP:lle (KB908519)
Suojauspäivitys Windows XP:lle (KB908531)
Suojauspäivitys Windows XP:lle (KB911562)
Suojauspäivitys Windows XP:lle (KB911567)
Suojauspäivitys Windows XP:lle (KB911927)
Suojauspäivitys Windows XP:lle (KB912812)
Suojauspäivitys Windows XP:lle (KB912919)
Suojauspäivitys Windows XP:lle (KB913446)
Synaptics Pointing Device Driver
TypingMaster Pro
VIA Audio Driver Setup Program
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Toolbar

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:46:04, on 23.4.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\sistray.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Norman\bin\niu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fimnet.fi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[bob4]

First let me say I am so sorry this ever happened. Believe me when I say Cleanup 4.0 is a 4 letter word to me. We both learned about a not so good program.

I will go through your log and check for other problems and be back with you as soon as I can.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[bob4]

That log looks great.

As long as you just reinstalled everything be sure to visit windows update and get any critical updates they may have for you.

Again my applogies for the headaches.
_________________
Graduate of Malware removal University


If this site has been of help maybe you would consider making a small donation.

[jjraula]

No apologies, everything is fine now and we both learned a lot. My computer is clean and you've got valuable information for the case like this. Now, i have automatic Windows update and three spyware detection programs. I should be in safe for a while.

Many thanks!