Tech Support Forum banner
Status
Not open for further replies.

Netsh.exe starts and stops

9K views 16 replies 4 participants last post by  Detah 
#1 ·
I have a problem I can't solve.

The netsh.exe file starts and stops each 4. second and the CPU useage goes up and down between 0-10% all the time. I didn't do any thing to start the netsh.exe file, but I've found out that if I stops the npfsvice.exe file it stops.

As far as i know the netsh.exe file is a systemfile and npfsvice.exe is something for the Norman Personal Firewall

I have a 3year free support on my computer.
So I've tried to contact Norman about this, but they won't help me since the program was preinstalled on my computer. So I tried to contact Fujitsu Siemens, but the computer was older than 6 months. Then I tried to contact the shop I bought it in and they told me to call a number that cost $4/min :rolleyes:
 
#2 ·
I would be glad to help you.

Sounds like your tech support people are playing the old hot potato game with you. Shame on them. Well, it doesn't matter. We will help you here.

netsh.exe is a Windows utility for command line operations.

See below for more.

http://support.microsoft.com/defaul...port/kb/articles/Q242/4/68.ASP&NoWebContent=1

But lets take this from the beginning.
It would be very helpful if you could post a HiJackThis log for us. HiJackThis is a diagnostic and repair tool that tells us some very basic information about your computer, including OS, internet browser version, and service packs, which helps us to analyze your problem. So please download HiJackThis and post your log. It is important to have the most recent version of HiJackThis. The most current version is v1.98.2.
------------------------------------------------------------------------
HijackThis instructions (~157KB)
  • Download HiJackThis (written by Merijn Bellekom) from
    http://www.spywareinfo.com/~merijn/downloads.html
    Save HijackThis.exe into its own permanent directory, NOT in a TEMPorary folder or on the DESKTOP. Temporary folders get cleaned out periodically and are often destinations for viruses and spyware. So you don't want it there. If you place HJT on the Desktop, then all of your logs and backups will get spread out over the desktop. That is not efficient. For simplicity, I recommend c:/program files/HJT/
    Close all windows, programs and especially internet browsers.
  • Doubleclick HijackThis.exe. Config | Misc Tools | Check for update online, save into your permanent directory. Close HJT. Unzip into permanent directory. Replace file=Yes.
  • Doubleclick HijackThis.exe. Press the <Scan> button
    DO NOT FIX ANYTHING YET!! Most of the entries found in a HiJackThis scan are programs/files which are REQUIRED for your computer to operate normally.
  • Press the <Save Log> button and save into your HJT folder. Change the file name to HJT 7-28-04a.log or some similar dating nomenclature so you can identify each log
  • The log should automatically open in Notepad. If not, open the log file from any text editor (Notepad, MS Word, Word Perfect, etc)
  • Copy/paste the results here in this forum and let an expert evaluate it for you.
  • Close HiJackThis//
------------------------------------------------------------------------

spywareinfo is down lately. So try here:
http://www.download.com/3000-8022-10227353.html

Detah
 
#3 ·
Here are the hijackthis log
Logfile of HijackThis v1.98.2
Scan saved at 5:56:46 PM, on 09/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\National Instruments\Shared\License Manager\Bin\lmgrd.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\National Instruments\Shared\License Manager\Bin\nilm.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\taskmgr.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\winregsrv.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/Default.asp?Ath=f
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {1CADD4F9-3C72-4F51-9088-5322DF3A72CE} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMON] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Åpne klient i skjerm &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Åpne klient i skjerm &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdateV3 - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
 
#4 ·
You have the SYNRG TROJAN. This is a very nasty one. It turns your computer into a bot aka Zombie. I am not very familiar with Norman Antivirus software, but it looks very bulky and invasive. This program has 11 running applications running at all times. This is excessive. And it clearly isnt doing it job, because you are infected by a virus that is over 2 years old.

Ok. Lets get rid of this puppy.

This is the badguy
C:\WINDOWS\System32\winregsrv.exe
VIRUS SYNRG TROJAN!!
O3 - Toolbar: (no name) - {1CADD4F9-3C72-4F51-9088-5322DF3A72CE} - (no file)
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe

You can read Norton's security response info about this trojan here:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.synrg.html

* Boot into Safe Mode, CNTR + ALT + DEL, select winregsrv.exe (may not be present), End Task.
Now use your Find Files to locate any instances of winregsrv.exe. There should only be one entry at c:/windows/system32/ and delete it. DO NOT even let it stay in your recycle bin, permanently delete it.

* Open the Registry Editor Click Start | Run | type "regedit"
Now we will make a backup of your Registry.
Click File, then Export. A Save dialogue window will open. Type a name like Registry backup 9-9-04.reg and save it in a permanent directory on your harddrive, like c:/program files/Registry backups/

* Now navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value
winregsrv %windir%\system\winregsvr.exe

* Close the Registry Editor.

* Reboot into normal mode.

------------------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly.

Spybot Search & Destroy instructions (~3.5MB)
  • Download Spybot (written by Patrick Kolla). Click <download> from
    http://www.safer-networking.org/[BR]
    Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
    I recommend c:/program files/spybot/
  • Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
  • Open Spybot from Start | Programs | Spybot | Spybot S&D
  • Select <Search for Updates>. Let it install all updates. This is very important!
  • Select <Immunize>
  • Select <Check for Problems>
  • Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
  • Select <Fix Selected Problems>
  • Close Spybot//

Ad-Aware instructions (1.7 MB)
  • Download Ad-Aware (written by Lavasoft) from
    http://www.lavasoft.de/
    click Download on the left hand column, then click <Ad-aware 6 from Download.com> about halfway down the page. Save aaw6181.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
    I recommend c:/program files/adaware/
  • Doubleclick aaw6181.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
  • Open AdAware from Start | Programs | Lavasoft | Adaware.
  • Select <Check for updates now>, <Connect>, let it install all updates.
  • Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. Make sure the following are selected/checked.
    • By default you will now be in the <General> section
      • Check Automatically save log-file
      • Check Automatically quarantine objects prior to removal
      • Check Safe Mode (always request confirmation)
    • Click <Scanning>
      • Check Scan within archives
      • Check Scan active processes
      • Check Scan registry
      • Check Deep scan registry
      • Check Scan my IE Favourites for banned URLs
      • Check Scan my Hosts files
      • Under Click here to select drives + folders', check all of your harddrives
    • Click <Advanced>
      • Check Include additional process information
      • Check Include additional file information
      • Check Include environmental information
      • Check Include additional object details
    • Click <Tweak>
      • Under Scanning engine
        • Check Unload recognized processes during scanning.
        • Check Include basic Ad-aware settings in logfile.
        • Check Include additional Ad-aware settings in logfile
      • Under Cleaning engine
        • Check Let Windows remove files in use at next reboot.
        • UNcheck Automatically try to unregister objects prior to deletion
    • Click <Proceed>
    • Click <Start>
    • Check Activate in-depth scan.
  • Select Perform smart system-scan, click <Next>
  • Rightclick on any entry and choose Select All Objects>. Click <Quarantine> to remove all those entries.
  • Close Adaware//
------------------------------------------------------------------------

That takes care of most spyware issues.
But your biggest concern should be letting attackers get onto your machine and running it as a bot (aka a Zombie machine, which is typically used to attack websites and servers with Directed Denial of Service attacks.) This is why your CPU usage is spiking.
How do you stop this? Almost any decent Firewall will prevent this invasion.

------------------------------------------------------------------------
Preventing future infections:
As a first line of defense I strongly recommend a good firewall, like Norton Firewall 2004, ZoneAlarm Pro or Kerio; all three are very highly rated. If you are short on $ there are several free options available to you. Consider ZoneAlarm or Outpost.
Running Spybot S&D and AdAware regularly are a good second line of defense.

Additional protections
SpywareBlaster and IE-SpyAd are run-once prevention programs which are also free. You only need to update them periodically. SpywareGuard is live protection from spyware.

SpywareBlaster (2.1 MB) is not a system cleaner like Spybot; rather it blocks/prevents bad ActiveX and malevolent cookies from entering your system in the first place.

IE-SpyAd (227 kB) places over 5000 sites into your Restricted Zone so you do not accidentally visit known evil sites.

SpywareGuard (1.96 MB) functions like an antivirus program, scanning files before they are opened and downloaded, but for spyware. It also protects your internet browser from hijacks.

See also So how did I get infected in the first place? for more information about spyware prevention.
------------------------------------------------------------------------

In your case I strongly recommend Spybot, AdAware, a good Virusscanner, and a good Firewall. This 4 things are essential if you want to surf the internet.

Once you have performed the above instructions, please post a new HJT log and I will check if it is clean.
 
#5 ·
thank you this will probably help alot!!

This seems to be it since I've got almost 1000 messages from the firewall if I want to allow incoming/outgoing TCP/UDP for tree days now

I've used Adaware regulary but it hasent found anything (it sorted some other problems earlier)
I just ran it now and it didn't find anything but 11 tracking coockies

I searched the harddrives for viruses yesterday and it didn't find anything. :mad:

I'll going to kill this m******er now :evil:

I'll let you know how it goes
 
#6 ·
I've done as you said above, but it seems as it didnt solve the problem completly since the netsh.exe still starts and stops

I ran Spybot and Adaware and spybot found some problems that adaware didn't find, but this didn't help either.

Anyway here is the logfile. I almost hope its something more so I can stop the spiking on the CPU useage.


Logfile of HijackThis v1.98.2
Scan saved at 2:29:24 AM, on 10/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\National Instruments\Shared\License Manager\Bin\lmgrd.exe
C:\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\National Instruments\Shared\License Manager\Bin\nilm.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\NORMAN\Nvc\Bin\niu.exe
C:\WINDOWS\System32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.no/Default.asp?Ath=f
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\spybot\SDHelper.dll
O3 - Toolbar: (no name) - {1CADD4F9-3C72-4F51-9088-5322DF3A72CE} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CTFMON] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Åpne klient i skjerm &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Åpne klient i skjerm &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdateV3 - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
 
#7 · (Edited)
As far as I can tell, netsh.exe is not essential to run WinXP.
Lets delete it.

* copy the file into some new folder c:/aaaa/

* CNTR+ALT+DEL | Task Manager | select netsh.exe | End Task.

* Use your Find Files and delete every instance of this program, except the c:/aaaa/netsh.exe backup. Should be only the one instance at c:/windows32/netsh.exe. If there are other instances, please write down the full path.

* Reboot. Open a few programs, visit some websites, play a game of Solitaire. Close everything, then repost a new HJT log. And we will see if you are clean. Remember, close all programs before making your HJT log.

* If this works, then after a few weeks have passed and you received no notices about needing it, you can permanently delete the c:/aaaa/netsh.exe directory and file.
 
#8 ·
Same problem with me!

Hi, I have had the same problem with netsh.exe, and I have found great help in this site! Now I hope that I have got rid of the problem, for now...

I have myself searched through my computer without finding any
virus. Neither do I see any suscpisious processes running. Though, I paste
my HijackThis logfile below.

The netsh.exe process stopped restarting after I ran Spybot - Search and
Destroy. Try installing it! I just followed the above information. It is worth of mentioning I think that all three of us (also one at microsoft.public.windowsxp.security_admin) reporting this problem are using Norman Virus Control and Norman Personal
Firewall. I will try to scan my computer with Norton's online virusscanner.

It may also be that netsh.exe disappeared from task manager after I stopped
and restarted the firewall. Try this as well.

Logfile of HijackThis v1.98.2
Scan saved at 22:34:34, on 13.09.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norman\NVC\BIN\Zanda.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\MXOaldr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRAM FILES\NORMAN\Nvc\BIN\npfmsg2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = proxy1.chello.no:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} -
C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.EXE
/LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program
Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program
Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll


-- Espen
 
#9 ·
Hi espenhjo and welcome to TSF.

Please do not post your log file into someone else's thread. This is to avoid any confusion. Please create your own thread and post it there.
 
#10 · (Edited)
Hi again I have not been online for some days, but now I'm back again.

I have reinstalled Windows XP home to see if this had anything to do with it, but it started as soon as I installed the firewall.

When I stop the firewall it stops, but it starts as soon as I start it again.
So it might be safe to say it's the firewall that causes this.

I've tried to move the netsh.exe file into a Zipped folder, but it still starts and stops. Even if the file isn't there :eek:

Here are the latest HijackThis logfile

Logfile of HijackThis v1.98.2
Scan saved at 05:45:50, on 16.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\winupdate.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Programfiler\norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NIP.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\npfmsg2.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\cclaw.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094830573703
I've also had some problem with "Popup Porn" while playing a game and the virus scan found out that the file C:\WINDOWS\System32\winupdate.exe was a "W32/backdoor"
 
#11 · (Edited)
C:\WINDOWS\System32\winupdate.exe
is a badguy. I believe you have the backdoor.bmbot trojan. This is another nasty one. I am very surprised that one of the earlier virusscans did not pick this up.
You may find more information about this trojan here:
http://www.symantec.com/avcenter/venc/data/backdoor.bmbot.html
----------------------------------------------------------------
To show hidden files:
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extentions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore
My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot.
After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.
----------------------------------------------------------------
You should run an online virus scan. Select one or more of the following. Select Autoclean if you use TrendMicro. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner.
Panda aka http://www.pandasoftware.com/activescan/com/activescan_principal.htm
TrendMicro aka http://housecall.trendmicro.com/]
RAV Antivirus aka http://www.ravantivirus.com/scan
When you are done, post a new HJT log.

I do not trust your virusscanner anymore at all. I think after this is all over, you should consider getting a more reputable, highly-rated, trusted virusscanner.
----------------------------------------------------------------
It should not be necessary to reinstall your OS, or reformat or anything so drastic. We will get this fixed. Trust me. I do not let trojans win.

EDIT:
Do not attempt to edit your registry yet. I will give you precise instructions how to safely delete the entry that is bugged. Lets do the online virusscans first.
 
#12 ·
The online virus scan didn't find anything.

I didn't have the virus before I reinstalled windows so I'll guess it was on one of the cd's for my other softwaresince I know for a fact that I didn't get it from an e-mail

Anyway here is my new logfile

Logfile of HijackThis v1.98.2
Scan saved at 18:46:25, on 17.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Programfiler\norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NIP.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\npfmsg2.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Programfiler\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094830573703
 
#13 ·
Now we will remove winupdate.exe.

Reboot in Safe Mode. To reboot in Safe Mode, tap the F8 key while your computer is restarting. Select Safe Mode from the list.

CTRL+ALT+DEL | Task Manager | Processes tab | select winupdate.exe. It may not be present, and thats ok.
Now open Windows Explorer and delete c:/windows/system32/winupdate.exe.
It may not be present. Thats ok too.

----------------------------------------------------------------
Open the Registry Editor
Click Start | Run | type "regedit"
Now we will make a backup of your Registry. Click File | Export. A Save dialogue window will open. Type a name like <Registry backup 9-9-04.reg> and save it in a permanent directory on your harddrive, like c:/program files/Registry backups/

* Now navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, rightclick to delete the value

Microsoft auto update


* Close the Registry Editor.
----------------------------------------------------------------
Open Windows Explorer | Find Files | search for any instance of winupdate.exe and delete it.
----------------------------------------------------------------
Empty your c:/windows/TEMP folder. Note: only empty the contents of the folder, leave the folder there.
----------------------------------------------------------------
Open HJT | Scan, check/select the following:


O4 - HKLM\..\Run: [WindowsRegKey update] winupdate.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdate.exe
O4 - HKCU\..\Run: [WindowsRegKey update] winupdate.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1094830573703


Click Fix checked. //
----------------------------------------------------------------
Empty your recycle bin

Reboot into normal mode
----------------------------------------------------------------
Post another HJT log and well see how things look.
 
#14 ·
Here is my new hijacklog

Hope it starts to look okay now

Logfile of HijackThis v1.98.2
Scan saved at 00:41:10, on 20.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NIP.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\npfmsg2.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\cclaw.exe
C:\Programfiler\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
 
#15 ·
Check and fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore


You should be clean now.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.

Any problems now?
 
#16 ·
Evrything seems to run okay now! :bgrin:

Thank you for the help!!

Anyway here is my latest HijackThis log I hope its okay:

Logfile of HijackThis v1.98.2
Scan saved at 22:13:53, on 21.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NPFSVICE.EXE
C:\Programfiler\norman\NVC\BIN\Zanda.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NYMSE.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NIP.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\npfmsg2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nipsvc.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\PROGRAMFILER\NORMAN\Nvc\BIN\nvcoas.exe
C:\PROGRAMFILER\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\PROGRAMFILER\NORMAN\Nvc\Bin\niu.exe
C:\Programfiler\HijackThis\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAMFILER\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
 
#17 ·
Everything looks pretty good now. But I would recommend that you replace your Norman Firewall with something better. Norman just isn't doing its job.


Preventing future infections:
As a first line of defense I strongly recommend a good firewall, like Norton Firewall 2004, ZoneAlarm Pro or Kerio; all three are very highly rated. If you are short on $ there are several free options available to you. Consider ZoneAlarm or Outpost.
Running Spybot S&D and AdAware regularly are a good second line of defense.

Additional protections
SpywareBlaster and IE-SpyAd are run-once prevention programs which are also free. You only need to update them periodically. SpywareGuard is live protection from spyware.

SpywareBlaster (2.1 MB) is not a system cleaner like Spybot; rather it blocks/prevents bad ActiveX and malevolent cookies from entering your system in the first place.

IE-SpyAd (227 kB) places over 5000 sites into your Restricted Zone so you do not accidentally visit known evil sites.

SpywareGuard (1.96 MB) functions like an antivirus program, scanning files before they are opened and downloaded, but for spyware. It also protects your internet browser from hijacks.

See also So how did I get infected in the first place? for more information about spyware prevention.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top