Anybody who can help with this fu...ing spy / virus ???

olgierd-k · Joined: 19 Feb 2006 Posts: 2

Hi everybody,
Here is what happens:
From time to time the Network connection window appears saying:
"You (or some program) requires information from xxxxx. Which connection do you want to use ?"
Where xxxxx is one of the following:
smtp.aol.com
smtp.google.com
smtp.mail.ru
yahoo.com
66.36.243.201
socks.temphost.ws

On that, infected computer, I'm not even connected to internet and I do not run any program. But I neet it to be connected and do not want any spywere to connect behind my back to above sites.
I have tried to remove these pests manually, I have downloaded and run Spy Doctor, Search & Destroy, Ad-aware and Norman. There was a number of adware which was removed succesfully, but this one (or a some) still presist !!! Any help would be appreciated.
Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 12:14:23, on 2006-02-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEIWLSVC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\HPConfig.exe
c:\LaserJet3150\jsdaemon.exe
C:\Program\Network Monitor\netmon.exe
C:\Norman\Bin\Zanda.exe
C:\Reflection_90\rtsserv.exe
C:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\slpmonx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\AEIWLRAD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\program\hewlett-packard\Mmenu\hpcdtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
C:\Program\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\Program\HPONE-~1\OneTouch.EXE
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
C:\Norman\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Spyware Doctor\swdoctor.exe
C:\Security\Antivir\BitDefender for ICQ\aqmon.exe
C:\LaserJet3150\JETSTAT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program\Delade filer\efax\dllcmd32.exe
C:\WWW_Utilities\ZoneAlarm\zonealarm.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\bin\cclaw.exe
c:\LASERJ~1\JSFMAN.EXE
C:\Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\WWW_Utilities\PopUp_Stopp_v30\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WWW_UT~1\SPYBOT~2\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\WWW_Utilities\PopUp_Stopp_v30\popupus.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP CD-Writer] c:\program\hewlett-packard\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Tray Icon WMI] C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
O4 - HKLM\..\Run: [HP Lamp] C:\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BitDefender for ICQ.lnk = C:\Security\Antivir\BitDefender for ICQ\aqmon.exe
O4 - Global Startup: BitDefender for MSN Messenger.lnk = C:\Security\Antivir\BitDefender for MSN Messenger\msnmon.exe
O4 - Global Startup: BitDefender_P2P_Startup.lnk = C:\WINDOWS\BitDefender_P2P_Startup.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\LaserJet3150\JETSTAT.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program\Delade filer\efax\dllcmd32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\WWW_Utilities\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &2 Customize Menu - res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Search Using Copernic - C:\Copernic_2001\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Copernic_2001\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Copernic_2001\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Copernic_2001\Copernic.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Copernic_2001\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Copernic_2001\Translate.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/omnibook/home
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_r295_3d/HND/h6300|ProdPage|viewpoint
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D28D13B-D293-42A0-BCFA-30011D9F1654}: NameServer = 194.204.152.34,194.204.159.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HPAlertWMI - Hewlett-Packard Co. - C:\Program\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\LaserJet3150\jsdaemon.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program\Network Monitor\netmon.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Reflection_90\rtsserv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Spyware Doctor\sdhelp.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
=====================================================
And here is my xxx
ADS spy log
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c2788dfa4bd1.tif : Xj1phwzh5qcwungrN45kt3kiCe (992 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474befb0b3.tif : Xj1phwzh5qcwungrN45kt3kiCe (912 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474c9ab278.tif : Xj1phwzh5qcwungrN45kt3kiCe (912 bytes)

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi, olgierd-k. Welcome to 2-Spyware.com forums!

Please follow these steps:

1. Download the KillBox utility.

2. Use HijackThis to fix the following entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

3. Use KillBox to delete the following file:
C:\Program\Network Monitor\netmon.exe

4. Delete the entire C:\Program\Network Monitor directory.

5. After you get done, run another HijackThis scan and post a fresh log here.

P.S. Your system is not up-to-date! You have to install Service Pack 2 for Microsoft Windows XP and Service Pack 2 for Microsoft Internet Explorer. Also apply all latest updates and security fixes.

olgierd-k · Joined: 19 Feb 2006 Posts: 2

Hi GTO!
Thanks for help, I really appreciate this !
I did as you suggested, deleting the Network Monitor all together, coul do in Safe Mode without KillBox.
I changed the registry, and restarted and... the Network connection pop-ups come back as before !!! Even the netmon.exe was not running any longer ! So it was not (not only ???) cicios.H ???
I scaned ADS spy with Hijack and deleted last 3 entrys. Then I installed Ewido, seems to be outstanding ! Found 7 more things which Spy Doc or Ad-Aware never showed ! I deleted all. Restarted, and... IT IS NOT POPPING UP ANY LONGER !!!!
So I can connect again (which I did) and running now on this computer.
What do you think, what was it ??? Which of the action taken did the success ?? Its good that it is gone, but very good to know what was it and how it works ?
I attach most recent Hijack log, ADS log and Ewido log. Hope it looks ok now, doenst it ?? (I hope I'm not happy to early.... !)

Logfile of HijackThis v1.99.1
Scan saved at 18:09:32, on 2006-02-21
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEIWLSVC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPConfig.exe
c:\LaserJet3150\jsdaemon.exe
C:\Norman\Bin\Zanda.exe
C:\Reflection_90\rtsserv.exe
C:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\slpservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\slpmonx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\AEIWLRAD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\program\hewlett-packard\Mmenu\hpcdtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
C:\Program\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program\HPONE-~1\OneTouch.EXE
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
C:\Norman\bin\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Security\Antivir\BitDefender for ICQ\aqmon.exe
C:\LaserJet3150\JETSTAT.EXE
C:\Program\Delade filer\efax\dllcmd32.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
c:\LASERJ~1\JSFMAN.EXE
C:\Ewido anti-malware\ewidoguard.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\spyware doctor\swdoctor.exe
C:\Utilities\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://basun.sunet.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} -

C:\WWW_Utilities\PopUp_Stopp_v30\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\WWW_UT~1\SPYBOT~2\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O3 - Toolbar: Pop-Up Stopper &Companion -

{8F05B1A8-9D77-4B8F-AF54-6B2202066F95} -

C:\WWW_Utilities\PopUp_Stopp_v30\popupus.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program\Hewlett-Packard\HP Display

Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program\Hewlett-Packard\HP

Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program\Hewlett-Packard\PhotoSmart\Photo

Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]

C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP CD-Writer]

c:\program\hewlett-packard\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Tray Icon WMI]

C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
O4 - HKLM\..\Run: [HP Lamp] C:\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade

filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer]

C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: BitDefender for ICQ.lnk =

C:\Security\Antivir\BitDefender for ICQ\aqmon.exe
O4 - Global Startup: BitDefender for MSN Messenger.lnk =

C:\Security\Antivir\BitDefender for MSN Messenger\msnmon.exe
O4 - Global Startup: BitDefender_P2P_Startup.lnk =

C:\WINDOWS\BitDefender_P2P_Startup.exe
O4 - Global Startup: HP LaserJet 3150 Status.lnk =

C:\LaserJet3150\JETSTAT.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program\Delade

filer\efax\dllcmd32.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\WWW_Utilities\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &2 Customize Menu -

res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms -

res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms -

res://C:\WWW_Utilities\Robot_fill_form\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: Search Using Copernic - C:\Copernic_2001\Search

Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} -

C:\Copernic_2001\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 -

{2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Copernic_2001\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} -

C:\Copernic_2001\Copernic.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms -

{320AF880-6646-11D3-ABEE-C5DBF3571F46} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms -

{320AF880-6646-11D3-ABEE-C5DBF3571F49} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar -

{724d43aa-0d85-11d4-9908-00400523e39a} -

C:\WWW_Utilities\Robot_fill_form\RoboForm.dll
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} -

file://C:\Copernic_2001\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time -

{99EFB53C-C965-43CF-9F45-52242D134187} -

file://C:\Copernic_2001\Translate.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/omnibook/home
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -

https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www

.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http

://h71016.www7.hp.com/html/interactive/h6300/model.html?jumpid=in_r295_3d/HND

/h6300|ProdPage|viewpoint
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}

(PPSDKActiveXScanner.MainScreen) -

http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -

http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/houseca

ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{3D28D13B-D293-42A0-BCFA-30011D9F1654}:

NameServer = 194.204.152.34,194.204.159.1
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Ewido

anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Ewido

anti-malware\ewidoguard.exe
O23 - Service: HPAlertWMI - Hewlett-Packard Co. -

C:\Program\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard -

C:\WINDOWS\System32\HPConfig.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\LaserJet3150\jsdaemon.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner -

C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA

- C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data

Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Reflection_90\rtsserv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd

- C:\Spyware Doctor\sdhelp.exe
O23 - Service: SLPMONX - ProdEx Technologies -

C:\WINDOWS\System32\slpservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

============================ ADS =====================
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c2788dfa4bd1.tif : Xj1phwzh5qcwungrN45kt3kiCe (992 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c2788dfa4bd1.tif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474befb0b3.tif : Xj1phwzh5qcwungrN45kt3kiCe (912 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474befb0b3.tif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474c9ab278.tif : Xj1phwzh5qcwungrN45kt3kiCe (912 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-3757435101-3802400216-3657561249-500$201c3474c9ab278.tif : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\All Users\Dokument\Mina bilder\Exempelbilder\Thumbs.db : encryptable (0 bytes)
C:\HP_gamla_pgm\HP_calender\APPTS.EXE : SummaryInformation (88 bytes)
C:\HP_gamla_pgm\HP_calender\APPTS.EXE : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)

=================== Ewido =============
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 06:27:59, 2006-02-21
+ Report-Checksum: B00040CC

+ Scan result:

C:\1_drsmartload1._xe -> Downloader.VB.wj : Cleaned with backup
C:\1_gimmygames._xe -> Downloader.VB.wd : Cleaned with backup
C:\Eudora.ok\BILAGOR\maly_test.exe -> Not-A-Virus.BadJoke.Win32.Stupen.c : Cleaned with backup
C:\Norman\Norman_GenFix.exe -> Heuristic.Win32.HostFile : Cleaned with backup
C:\Utilities\Viruses\Norman\Norman_GenFix.exe -> Heuristic.Win32.HostFile : Cleaned with backup
C:\WINDOWS\Access._xe -> Dialer.SexProvider : Cleaned with backup
C:\WINDOWS\system32\barseek.dll -> Proxy.Small.du : Cleaned with backup
C:\WINDOWS\sys_reg_virussmitt_AdwareRaxums.txt -> Hijacker.StartPage : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.VB.vz : Cleaned with backup
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le : Cleaned with backup
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg : Cleaned with backup

::Report End

---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 06:33:32, 2006-02-21
+ Report-Checksum: 9154DF8C

0: System Process
4: System Process
200: C:\WINDOWS\System32\atiptaxx.exe
228: C:\Program\Hewlett-Packard\HP Display Settings\hpdisply.exe
240: C:\Program\Synaptics\SynTP\SynTPLpr.exe
260: C:\Program\Synaptics\SynTP\SynTPEnh.exe
268: C:\WINDOWS\System32\AEIWLRAD.EXE
280: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
284: C:\WINDOWS\System32\hphmon03.exe
292: C:\Program\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
300: C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
308: C:\program\hewlett-packard\Mmenu\hpcdtray.exe
336: C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
372: C:\WINDOWS\system32\dla\tfswctrl.exe
412: \SystemRoot\System32\smss.exe
468: \??\C:\WINDOWS\system32\csrss.exe
492: \??\C:\WINDOWS\system32\winlogon.exe
544: C:\WINDOWS\system32\services.exe
556: C:\WINDOWS\system32\lsass.exe
700: C:\Ewido anti-malware\ewidoctrl.exe
764: C:\WINDOWS\system32\svchost.exe
808: C:\WINDOWS\System32\svchost.exe
896: C:\Program\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
932: C:\WINDOWS\System32\svchost.exe
956: C:\WINDOWS\System32\svchost.exe
1076: C:\WINDOWS\system32\spoolsv.exe
1164: C:\WINDOWS\system32\AEIWLSVC.EXE
1176: C:\WINDOWS\System32\Ati2evxx.exe
1288: C:\WINDOWS\System32\HPConfig.exe
1312: c:\LaserJet3150\jsdaemon.exe
1336: C:\Program\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
1368: C:\Norman\Bin\Zanda.exe
1404: C:\Reflection_90\rtsserv.exe
1488: C:\Spyware Doctor\sdhelp.exe
1516: C:\WINDOWS\System32\slpservice.exe
1536: C:\WINDOWS\System32\snmp.exe
1548: C:\WINDOWS\System32\slpmonx.exe
1564: C:\WINDOWS\System32\svchost.exe
1588: C:\WINDOWS\System32\wdfmgr.exe
1624: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1948: C:\WINDOWS\Explorer.EXE
1992: C:\WINDOWS\System32\wbem\wmiprvse.exe
2196: C:\Program\HPONE-~1\OneTouch.EXE
2204: C:\Program\QuickTime\qttask.exe
2216: C:\Program\Delade filer\Real\Update_OB\realsched.exe
2224: C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
2232: C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
2264: C:\Norman\bin\ZLH.EXE
2272: C:\WINDOWS\System32\ctfmon.exe
2280: C:\spyware doctor\Swdoctor.exe
2312: C:\Security\Antivir\BitDefender for ICQ\aqmon.exe
2372: C:\LaserJet3150\JETSTAT.EXE
2392: C:\Program\Delade filer\efax\dllcmd32.exe
2432: C:\WWW_Utilities\ZoneAlarm\zonealarm.exe
2508: C:\Norman\Nvc\BIN\nipsvc.exe
2532: C:\Norman\bin\NJEEVES.EXE
2588: C:\Norman\Nvc\bin\nvcoas.exe
2616: C:\Norman\Nvc\BIN\NIP.EXE
2632: c:\LASERJ~1\JSFMAN.EXE
2660: C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
3020: C:\Norman\Nvc\bin\cclaw.exe
3124: C:\WinZip_8\winzip32.exe
3880: C:\Ewido anti-malware\SecuritySuite.exe
---------------------------------------------------------
ewido anti-malware - Startup report
---------------------------------------------------------

+ Created on: 06:30:21, 2006-02-21
+ Report-Checksum: 5BBE12CE

Reg\HKLM\Run ATIModeChange Ati2mdxx.exe
Reg\HKLM\Run AtiPTA atiptaxx.exe
Reg\HKLM\Run HP Display Settings C:\Program\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
Reg\HKLM\Run SynTPLpr C:\Program\Synaptics\SynTP\SynTPLpr.exe
Reg\HKLM\Run SynTPEnh C:\Program\Synaptics\SynTP\SynTPEnh.exe
Reg\HKLM\Run 1AEIWLRAD.EXE AEIWLRAD.EXE
Reg\HKLM\Run HP Presentation Ready C:\Program\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
Reg\HKLM\Run HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
Reg\HKLM\Run HPHmon03 C:\WINDOWS\System32\hphmon03.exe
Reg\HKLM\Run CXMon "C:\Program\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
Reg\HKLM\Run Share-to-Web Namespace Daemon C:\Program\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Reg\HKLM\Run HP CD-Writer c:\program\hewlett-packard\Mmenu\hpcdtray.exe
Reg\HKLM\Run dla C:\WINDOWS\system32\dla\tfswctrl.exe
Reg\HKLM\Run HP Tray Icon WMI C:\Program\Hewlett-Packard\TopToolsWMI\HPTrayIcon.exe
Reg\HKLM\Run HP Lamp C:\HP PrecisionScan\PrecisionScan\HPLamp.exe
Reg\HKLM\Run QT4HPOT C:\Program\HPONE-~1\OneTouch.EXE
Reg\HKLM\Run QuickTime Task "C:\Program\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run TkBellExe "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
Reg\HKLM\Run DataLayer C:\Program\DELADE~1\PCSuite\DATALA~1\DATALA~1.EXE
Reg\HKLM\Run PCSuiteTrayApplication C:\NOKIA9~2\NOKIAP~1\TRAYAP~1.EXE
Reg\HKLM\Run Norman ZANDA C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
Reg\HKCU\Run CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
Reg\HKCU\Run Spyware Doctor "C:\spyware doctor\Swdoctor.exe" /Q
Reg\HKCU\Run Windows installer
Shell\CommonStartup BitDefender for ICQ.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\BitDefender for ICQ.lnk
Shell\CommonStartup BitDefender for MSN Messenger.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\BitDefender for MSN Messenger.lnk
Shell\CommonStartup BitDefender_P2P_Startup.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\BitDefender_P2P_Startup.lnk
Shell\CommonStartup HP LaserJet 3150 Status.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\HP LaserJet 3150 Status.lnk
Shell\CommonStartup Live Menu.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Live Menu.lnk
Shell\CommonStartup ZoneAlarm.lnk C:\Documents and Settings\All Users\Start-meny\Program\Autostart\ZoneAlarm.lnk
[/quote]

GTO · Joined: 15 Nov 2005 Posts: 1519

Hi, olgierd-k.

I'm glad you have succesfully got rid of the infection Cool

. According to ewido anti-malware log, your system was infected with the following parasites:
C:\1_drsmartload1._xe -> Downloader.VB.wj
C:\1_gimmygames._xe -> Downloader.VB.wd
C:\Eudora.ok\BILAGOR\maly_test.exe -> Not-A-Virus.BadJoke.Win32.Stupen.c
C:\WINDOWS\Access._xe -> Dialer.SexProvider
C:\WINDOWS\system32\barseek.dll -> Proxy.Small.du
C:\WINDOWS\sys_reg_virussmitt_AdwareRaxums.txt -> Hijacker.StartPage
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az
C:\WINDOWS\toolbar.exe -> Downloader.VB.vz
C:\WINDOWS\winsysban7.exe -> Hijacker.VB.le
C:\WINDOWS\winsysupd7.exe -> Downloader.VB.wg

As you can see, none of the infected files were on your HijackThis log. The reason is simple: HijackThis is programmed to check only the fixed number of specific locations in the Windows registry. It doesn't scan your files and the file system. Malicious registry entries associated with the infected files were in different registry parts that HijackThis doesn't check. That is why I couldn't provide you with the full list of malicious files. And that is why it is very important to have several powerful anti-spyware programs and scan the infected system with each of them. There is no such tool that find 100% of parasites. Advanced anti-spyware products complement each other.