The Help2go detective alerts me but no key or program is shown

**Grensen** · 06-06-2009 06:18 PM

Hi again! I posted my HijackThis logfile into the detective and I got the "Danger"-sign followed by a message telling me that suspicious entries was found on my computer. But it didn't show any registry key or program at all. The next thing that followed was the "to do-list". Here's my scan result...do you see any suspicious?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:09:47, on 07.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\NPF\NPFSVICE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\Npm\Bin\scheduler.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\BTTray.exe
C:\Programfiler\Norman\NPF\NPFMSG.EXE
C:\Programfiler\Logitech\SetPoint\LBTWiz.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Telenor Online - Online.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Programfiler\WOT\WOT.dll
O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Programfiler\WOT\WOT.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NPF Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windo..._5.3.0.228.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1165097217546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165102026937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://62.63.51.15/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5035/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{73D61A23-51AE-4624-9E4E-85C08CC05DAD}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CCB85F9-FDB5-4297-AE4B-DEB724299F87}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2991645-2ED9-4FA9-9EE4-9F106D99FEB5}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA1D602-64CF-43B6-B1A7-DE28EBA1C8BE}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS1\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS2\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Programfiler\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Programfiler\Norman\NPF\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11911 bytes

**evilfantasy** · 06-06-2009 07:29 PM

Everything looks OK.

The issue is that The Detective can't interpret the Scandinavian language given in the file paths.

**Grensen** · 06-06-2009 08:29 PM

I see...well thanks for checking anyway

**evilfantasy** · 06-06-2009 08:56 PM

I added a bunch of the entries to the database so in a few days it should be reading your log correctly.

**Grensen** · 06-07-2009 07:26 AM

I'll test it again soon...will post the results in this post

**evilfantasy** · 06-07-2009 08:43 AM

Having a closer look you need to fix these with HijackThis.

- R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
- O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Also can you tell me what this is?

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

And is Haldex Ltd.your Internet Provider?

**Grensen** · 06-07-2009 09:52 AM

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

*Koblinger* is the norwegian word for *links*. After installing IE8 I got this toolbar option with several Microsoft-links (another annoying add on from Microsoft). Can that be what the R0-key is referring to?

To your next question: -No - I never heard of Haldex! My internet provider is *Telenor Online* (Telenor Online - Online.no).

Here's my recent HJT-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:05, on 07.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\NPF\NPFSVICE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\scheduler.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\BTTray.exe
C:\Programfiler\Norman\NPF\NPFMSG.EXE
C:\Programfiler\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Telenor Online - Online.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Programfiler\WOT\WOT.dll
O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Programfiler\WOT\WOT.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NPF Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windo..._5.3.0.228.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1165097217546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165102026937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://62.63.51.15/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5035/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{73D61A23-51AE-4624-9E4E-85C08CC05DAD}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CCB85F9-FDB5-4297-AE4B-DEB724299F87}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2991645-2ED9-4FA9-9EE4-9F106D99FEB5}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA1D602-64CF-43B6-B1A7-DE28EBA1C8BE}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS1\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS2\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Programfiler\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Programfiler\Norman\NPF\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11645 bytes

**evilfantasy** · 06-07-2009 10:49 AM

OK the closer I look the more I see.

Open HijackThis and select Do a system scan only

Vista users right click on HijackThis and select Run as Administrator. (you will receive a UAC prompt, please allow it)

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{73D61A23-51AE-4624-9E4E-85C08CC05DAD}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CCB85F9-FDB5-4297-AE4B-DEB724299F87}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2991645-2ED9-4FA9-9EE4-9F106D99FEB5}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEA1D602-64CF-43B6-B1A7-DE28EBA1C8BE}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS1\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255
O17 - HKLM\System\CS2\Services\Tcpip\..\{24D0BB08-ADAB-4478-9CEE-E851636C4E6C}: NameServer = 213.174.139.72,255.255.255.255

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

Alternate MBAM download link

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

**Grensen** · 06-07-2009 11:17 AM

Did as you told me to do. While scanning with MWB I got this RunDLL error msg (I translated from norwegian): "Error when loading C:\Programfiler\Fellesfiler\ParetoLogic\UUS2\UUS.dll
Specified modul not found"

I don't know whether if it is a result from the HJT-cleaning or from the MWB-scan.. I clicked OK as it didn't seem to effect the MWB-scanning process. Heres both the MWB-log and the recent HJT-log:

Malwarebytes' Anti-Malware 1.37
Databaseversjon: 2243
Windows 5.1.2600 Service Pack 3

07.06.2009 18:04:53
mbam-log-2009-06-07 (18-04-53).txt

Skanntype: Rask Skann
Objekter skannet: 88160
Tid tilbakelagt: 3 minute(s), 50 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 7

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
(Ingen mistenkelige filer funnet)

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
c:\WINDOWS\sto452688.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto452712.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto452739.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto453148.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto453224.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto453251.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sto453660.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

HJT-log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:32, on 07.06.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\Zanda.exe
C:\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programfiler\Norman\NPF\NPFSVICE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Norman\Npm\Bin\scheduler.exe
C:\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Norman\nse\bin\NSESVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Norman\Nvc\bin\nvcoas.exe
C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\Norman\Npm\Bin\ZLH.EXE
C:\WINDOWS\tsnpstd3.exe
C:\Norman\Nvc\Bin\Nip.exe
C:\WINDOWS\vsnpstd3.exe
C:\Norman\Nvc\Bin\cclaw.exe
C:\Programfiler\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Bluetooth\Bluetooth-programvare\BTTray.exe
C:\Programfiler\Norman\NPF\NPFMSG.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Telenor Online - Online.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre6\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Programfiler\WOT\WOT.dll
O2 - BHO: Telenor Telenorhjelpen Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programfiler\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programfiler\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Programfiler\WOT\WOT.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Programfiler\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NPF Messenger.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth\Bluetooth-programvare\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windo..._5.3.0.228.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1165097217546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1165102026937
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game11.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://62.63.51.15/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5035/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Programfiler\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programfiler\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programfiler\Bluetooth\Bluetooth-programvare\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programfiler\Fellesfiler\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Programfiler\Norman\NPF\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe
O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10661 bytes

**evilfantasy** · 06-07-2009 11:32 AM

Filer infisert:
c:\WINDOWS\sto452688.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

Be careful what you accept from Facebook. That is where this worm is from.

C:\Programfiler\Fellesfiler\ParetoLogic\UUS2\UUS.dll
Specified modul not found"

Have you installed anything from ParetoLogic? If so please uninstall it.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Thread: The Help2go detective alerts me but no key or program is shown

LinkBack

Thread Tools

The Help2go detective alerts me but no key or program is shown

OK

Great!

Did what you suggested me to do..

Koobface was found again...yikes!!