Svchostss.exe This a problem?

[Moritz]

Use Trojanhunter and the program found a possible trojan svchostss.exe in W32/system.
But I can not find the file because it is pitite packed.

Using PANDA antivirus which could not find any virus.
Read on Symantic security response that I could have Nibu D.

Tried to go into Safe mode and look at the registry but could not find the values that are suppose to be there if I have Nibu D.

I have windows 2000 and I was to navicate to HKEY-lokal-machine\software\microsoft\windows\currentversion\run and delete the value. "Load32"= system\swchost.exe (probebly a spelling fault) where I found svchostss.exe.
Before deleting I loooked at the next step which was to go to HKEY-lokal-
machine\software\microsoft\windowsNT\currentversion\winlogon and doubleclick on SHELL. But there is no Shell.

Do I have a virus, or???

Thankful for any help.

Moritz

Logfile of HijackThis v1.98.2
Scan saved at 15:44:29, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - AppInit_DLLs: PAVWAIT.DLL

 

[Cookiegal]

Please download and run the following programs:

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.

Then go to this link and do an on-line virus scan. Be sure to check "auto clean" before starting the scan.

http://housecall.trendmicro.com/

Then reboot and post another log please.

 

[Moritz]

Here is my new log. Will now take virus scan

Regards Moritz

Scan saved at 17:31:47, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\servcsys32.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINNT\servcsys32.exe
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - AppInit_DLLs: PAVWAIT.DLL

 

[Moritz]

No viruses found

Moritz
Logfile of HijackThis v1.98.2
Scan saved at 18:32:58, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\svchostss.exe
C:\WINNT\system32\drwtsn32.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SystemServices] servcsys32.exe
O4 - HKLM\..\Run: [cthelp] cthelp.exe
O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [cthelp] cthelp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SettingValue] casd.exe
O4 - HKCU\..\Run: [SystemServices] servcsys32.exe
O4 - HKCU\..\Run: [cthelp] cthelp.exe
O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: PAVWAIT.DLL

 

[Cookiegal]

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

O4 - HKLM\..\Run: [SystemServices] servcsys32.exe

O4 - HKLM\..\Run: [cthelp] cthelp.exe

O4 - HKLM\..\Run: [Configuration Loader] svchostss.exe

O4 - HKLM\..\RunServices: [cthelp] cthelp.exe

O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe

O4 - HKCU\..\Run: [SettingValue] casd.exe

O4 - HKCU\..\Run: [SystemServices] servcsys32.exe

O4 - HKCU\..\Run: [cthelp] cthelp.exe

O4 - HKCU\..\Run: [Configuration Loader] svchostss.exe

Then boot to safe mode (see how below), locate and delete these files and/or folders:

servcsys32.exe - file
cthelp.exe - file
svchostss.exe - file (be very careful of spelling - do not delete svchost.exe)
casd.exe - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

Then reboot and post another log please.

 

[Moritz]

Need some guidance. Have come to safemode:
Found servcsys32.exe and svchostss.exe files/folders by scanning for files.
Deleted them, but could not find casd.exe or cthelp.exe.

But all these I find in REGEDIT, do I delete these (all4)??

Do I go back afterwards and check "hide file extensions for known file Types and so forth??

Moritz

 

[Cookiegal]

There is no need to make any changes to the registry via Regedit. They are probably just MRUs (Most Recently Used).

Also, it's common not to find all of the files, as long as you've searched and all files were unhidden at the time.

You can hide the files again after we're done.

 

[Moritz]

Have used Hijackthis and fixed the 9 items.
Went to safemode and found the previously mentioned files.

Did not do anything in regedit.

Logfile of HijackThis v1.98.2
Scan saved at 22:19:28, on 06.09.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavprot.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\pavsrv50.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\SYSTEM32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\WINNT\system32\internat.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programfiler\Fellesfiler\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Zero] C:\Programfiler\Pop-Up Zero\Pop-Up Zero.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [THGuard] "C:\Programfiler\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: PAVWAIT.DLL

Regards Moritz

 

[Moritz]

Could You tell me what it is I had on my computer when we are finished??

Moritz

 

[Cookiegal]

The log looks good now. How's everything running?

They were definitely a couple of Backdoor Trojans, probably Nibu.D and a VBScript trojan. It's possible that it hadn't executed yet or some of it's components were deleted with various scans.

I also suggest that you do the following:

Delete your temporary files:

In safe mode go to the C:\Windows\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Delete your Internet Temporary Files:

Go to Tools - Internet Options - General tab - delete temporary Internet files – put a check beside delete off-line contents then click OK

Empty your recycle bin.

 

[Moritz]

Thank You for all your help. I will do that.
I,ve had this for 2 weeks now

Regards Moritz

 

[Cookiegal]

You're welcome.


I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html