Tech Support banner

Not open for further replies.
1 - 3 of 3 Posts

3 Posts
Discussion Starter #1 (Edited)
I understand if you have a lot to do, but I could really need some help. So if anyone have time to take a look at my problem I would really appreciate it.
Please excuse my english, as it's not my mother tongue (as you can see :sad: ).
Here's the problem: I have a lot of running processes on my computer at all times. 44 actually...and that's a lot more than everyone else I know. It really slows down my computer, so I want to get rid of the useless ones. I googled to see what all the processes was, and most of them look harmless, but some I'm not sure about. 7 or 8 of them looks like it's Norman Antivirus (could this be right? So many?). I also have a process running called crss.exe, and according to all websites, it's a virus. However, I can't seem to get rid of it. I have, as mentioned, Norman Antivirus. I also have Ad-aware and Spybot Search & Destroy, but none of these could find it. I've also tried the onlinescan Trend Micro HouseCall (as recomended in the sticky), but it couldn't find it either (it did however find and remove a couple other files).
So I ran HijackThis and the HijackThis Analyzer. The result is posted below.

Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at

***Security Programs Detected***


Logfile of HijackThis v1.99.1
Scan saved at 17:46:22, on 15.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
c:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
D:\Christer\Software\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Christer\Software\Spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Programfiler\EPOX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [AtiPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Programfiler\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\Run: [Norman ZANDA] C:\Programfiler\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Christer\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXBLKsk] C:\PROGRA~1\Lexmark\PHOTOC~1\LXBLKsk.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\christer\software\steam for halflife2\steam.exe" -silent
O4 - HKCU\..\Run: [Utopia Angel] "D:\Christer\Software\Angel\Angel.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) -
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Programfiler\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Programfiler\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Programfiler\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Programfiler\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

End of KRC HijackThis Analyzer Log.

Thank you for your time. I appreciate any help I can get.


Bearded Tech Monkey
1,058 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.



Bearded Tech Monkey
1,058 Posts
Hello, Christer. Thank you for being patient while I reviewed your log![/b][/color]

Congratulations, I’m not seeing any malware at work in your log. There’s only one questionable entry I would like you to take care of.

Please copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you need to refer back to them. If you don’t understand

Reboot into Safe Mode. (Tap the F8 key until menu shows up.)

HiJackThis Entries:
Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Please make sure to close all open windows & browsers, then click Fix Checked.

Reboot into Normal Mode.

I’m not seeing crss.exe anywhere in your log. Can you tell me which scanner picked it up? In the mean time please to a search for it, (Start > Search > For Files or Folders…), and tell me it’s exact path. (e.g., C:\FolderA\FolderB\crss.exe, etc.)

Next, perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

As for the running process issue, I’m not seeing very many in your log. This is likely because of the Analyzer, so please give me a new log, minus the analyzer so I can review your running processes. Also the Norman processes are all legit, and all supposed to be there.

Please post the following items in your next reply:
  1. Results from the Kaspersky scan
  2. New HijackThis log
  1. (in Normal Mode, without the Analyzer)
  2. Which scanner found crss.exe
    [*]The full path in which crss.exe was found


1 - 3 of 3 Posts
Not open for further replies.