I can't get rid of spywarestrike 2.5... have try with spyware doctor, spybot... nothing works. What should i do? i'm a real rookie with computers...! =)

Hi, I would start here:
Updated topic posted:
http://forums.spybot.info/showthread.php?t=1958


Follow those instructions except you do not need to start a New Topic, stick with this same one and I will get notified when you post.

Thanks...pskelley
Safer Networking Forums

1.
Logfile of HijackThis v1.99.1
Scan saved at 11:07:16, on 2006-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ldwbdi.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareStrike] C:\Program\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

3.

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

Running from
C:\Documents and Settings\optik\Skrivbord\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

SharedTaskScheduler exporter by Grinler

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
@="Empty Value"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

quick launch SpywareStrike 2.5.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~

replmap.dll
1024 dir
ld****.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

SharedTaskScheduler exporter by Grinler

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)



4.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:24:00, 2006-02-06
+ Report-Checksum: DE551A36

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\optik\Cookies\optik@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/cd_install_329.exe/cd_clint.dll -> Spyware.Cydoor : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter1.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter13.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
-> : Error during cleaning
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter16.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter2.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter4.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter5.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@counter8.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@ehg-247internet.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Program\NoAdware4\NoAdwareBackup\11,2,2005_18,55,11.zip/optik@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\WINDOWS\system32\pskill.exe -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
C:\WINDOWS\tstlb.hta -> Downloader.Psyme.av : Cleaned with backup


::Report End


5.

Logfile of HijackThis v1.99.1
Scan saved at 13:41:18, on 2006-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ldwbdi.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe


I think the problems are gone! =)
I don't get this annoying tool bar pop up "Your computer is infected" anymore!

3.

The spybot report is 70000 characters long... and 20000 is maximum.
Should i split it and post it anyway?

Hold with what you have posted. I believe I have all the information I need now, and will let you know if I need more. What I do need is breakfast, been at this since five AM. You will be first after food.:bigthumb:

Thanks...Phil

Hello and sorry for the delay. We do have a little more work to do, though as you said, it looks like the major infection is gone. Hold on to that Spybot log just in case I need it later, you may delete it once I pronouce you clean if I forget to tell you. One of the problems of working with global logs (and I do not know where you are located) is we often do not recognise all legitimate software, and you have one onboard now I need to ask your help with. This it is also running as a service.
C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
Hackers call their junk anything to keep us from finding it. If you know this is a valid program, just let me know. If not, then use at least two of these free online scans to validate the item one way or the other. Let me know you findings.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

ewido anti-malware - Scan report Created on: 13:24:00, 2006-02-06

Looks like ewido was able to delete everything it located. You are allowing some nasty cookies to get to your computer, if you wouold like to control this, use this information:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

Logfile of HijackThis v1.99.1 Scan saved at 13:41:18, on 2006-02-06

We have a few issues here to fix, and I may have to remove the item I asked about above once you let me know what it is.

Turn off Spyware Doctor, it may block the fix we must make with HJT, make sure you remember to turn it back on when you finish.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SpywareStrike] C:\Program\SpywareStrike\SpywareStrike.exe /h
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program\pokermillionMPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program\PartyPoker\PartyPoker.exe
(you may leave the next one if you want that as your startpage)
O14 - IERESET.INF: START_PAGE_URL=http://start.tele2.se

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program\SpywareStrike\ >>> folder

C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

If we have not run a good cleaner yet, and you need one, use this one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Post the information I need from above and a new HJT log. Let me know how things are running and if the item running as a service is valid, you will be on your way.

Thanks...Phil

I live in Sweden...!
I have no idea what "ldwbdi.exe" are. Kaspersky found nothing but virusscan.jotti found this:
Dr.Web Found BACKDOOR.Trojan (probable variant)
NOD32 Found a variant of Win32/Delf.HZ
VBA32 Found Backdoor.Delf.150 (paranoid heuristics) (probable variant)

OK...thanks and I have other friends in Sweden. That item is bad, would you like me to edit it into that last set of instructions or should I let you complete those, then give you additional instructions for the removal after I see a new HJT log. I can do it either way, your call. Good thing you speak English:bigthumb: I always have a hard time finding a good translation for Swedish.

Thanks....Phil

I can do the other things first...

Nothing happens when i try to download ccleaner...?
It was the same with panda activescan, nothing happend when i push the "check now" button??!!

I may be using links to varities of the programs that need European versions. I apologize if this is the case. Just recap for me by the numbers so I can see what you could not run. We will decide later if we need to run another tool. I will wait until you post, review the progress and give you the instructions to remove the other bad item.

Thanks...Phil:bigthumb:

Hello again... i have done what you told me to and here are the HijackThis log



Logfile of HijackThis v1.99.1
Scan saved at 18:16:37, on 2006-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ldwbdi.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\Npf\BIN\NPFSVICE.EXE
C:\Norman\bin\ZANDA.EXE
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\ewido anti-malware\ewidoguard.exe
C:\Program\Hijackthis\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O4 - HKCU\..\Run: [Spyware Doctor] C:\Program\SPYWAR~2\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

OK...seems you want this done, as I sure do. When I search for this:
Your search - ldwbdi.exe - did not match any documents <<< Google tells me this.

When I look at this:
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe
http://www.theeldergeek.com/windows_management_instrumentation_driver_extensions.htm
http://www.microsoft.com/whdc/system/pnppwr/wmi/default.mspx

There is no way I can remove this item, unless you tell me in writing you want me to show you how it is done. It may well be valid.

As far as I can see at this point, the log is clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html

I need to give you this information:
Ewido is a great program but it does use some resources.
Once the trial is over you can update and use the scanner
for as long as you wish, but unless you purchase it you should turn it off
completely so it does not run unless you start it manually.

And this:
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Safe surfing:bigthumb:

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

Thanks for all your help pskelley!:beerbeerb

I want to get rid of the ldwbdi.exe file... and i would be pleased if you help me with that!! :bigthumb:

OK, you have looked at that information and you are aware that may be a valid program. In order to remove it we will need to do this:

1) Disable a Service
Click Start < Run and type services.msc.
Scroll down to Windows Management Instrumentation Driver and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

***I suggest you run your computer to see if there is any problems that occur with this service disabled***

2) Open HJT and choose the "Open the Misc Tools section"
Choose open process manager
Locate and highlite: C:\WINDOWS\system32\ldwbdi.exe
click on Kill process
Navigate to C:\WINDOWS\system32\ldwbdi.exe <<< filed in red and delete it. It will go to the recycle bin and could be recovered from there unless you have bypassed the recycle bin.

Restart the computer.

3) When you are positive you do not need that service, you can delete it like this:
Delete a Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type ldwbdi and press OK.
OK any prompts, close HijackThis, and restart your computer.

***once deleted, HJT in this case can not return the service.

Safe surfing...Phil :bigthumb:

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.

Glad we could help. :)

Hi!
Since you guys here helped me to remove spywarestrike (wich i am realy thankful to)
i can't open javascript/javascript popups.:scratch:
I have reinstall Java but it doesn't work and have asked around for a long time but can't get it to work!

I need your expertis once again...! :bigthumb:

/Tvangeste

Hello and welcome back, not quite sure how much help I can be with a Java issue, since I do not use it, but I will do what I can. First, make sure you have reviewed this information:
http://forums.spybot.info/showthread.php?t=2559
and make sure you follow those instructions. Here are a few other links that might help:
http://www.java.com/en/download/help/5000020300.xml
http://java.sun.com/j2se/1.5.0/download.jsp
http://www.java.com/en/download/installed.jsp
http://java.sun.com/j2se/1.3/install-windows.html
http://java.sun.com/developer/support/ <<< please note the user groups in this link where you can post for help from peers.

For my part, I would like to look at a current HJT log to make sure malware is not creating a problem. I would also like to look at your uninstall list like this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 14:27:36, on 2006-03-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\bin\ZLH.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Program\Internet Explorer\iexplore.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: *.blip.se
O15 - Trusted Zone: http://*.blip.se
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe





1st Page 2000 2.00 Free
Acoustica MP3 Audio Mixer
Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
Adobe Photoshop Elements 2.0
Adobe Reader 7.0 - Svenska
Anki och Pytte
ArcSoft VideoImpression 1.6
AVI to VCD/DVD 3.32
BitTornado 0.3.7
BitTorrent 4.4.1
CamStudio
CCleaner (remove only)
Chessmaster 9000
Comic Kicker
CSI
CSI-Dark Motives
DAEMON Tools
DC++ 0.674
DD Tournament Poker 1.0
Digital Camera Driver
DivX 4.11 Codec
ewido anti-malware
Expekt.com Poker
Far Cry Screen Saver
Fritz7
FruityLoops Studio Producer Edition v4.01
GoldWave v5.06
Google Earth
Google Toolbar for Internet Explorer
Guitar Master Pro 1.0
Guitar Pro 4.0
Guitar Pro 5.0
Half-Life
Hijackthis 1.99.1
HijackThis 1.99.1
Hitta Nemo
HP Foto & bilduppbyggnad 3.1
HP PSC & OfficeJet 3.0
HP Software Update
Huffyuv AVI lossless video codec (Remove Only)
ILLUSION ????2
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD 4
InterVideo WinDVD Creator
Ipswitch WS_FTP Home
J2SE Runtime Environment 5.0 Update 6
Kasparov Chessmate
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft AutoRoute v11.0
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Halo
Microsoft Picture It! Photo Standard 9
Microsoft Windows Media Video 9 VCM
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite-tillägg för Microsoft Word
MP3 To Wave Converter PLUS
MSDE
MSN Messenger 7.5
MSXML 4.0 SP2 Parser and SDK
Nero OEM
NeroVision Express 2 SE
Norman Internet Control
Optitec
PartyPoker
PhotoSuite 4 (Remove Only)
Photovista Panorama 2.02
Poker Million Online Poker
Poker Superstars Invitational
QuickTime
Rayman Pocket
RealPlayer
Shockwave
Sierra Utilities
Smart Link 56K Modem
Sonic Foundry Vegas 4.0
Sony Sound Forge 8.0
SoundMAX
Spybot - Search & Destroy 1.4
Startprogram för installation av Microsoft Works 2004
Säkerhetsuppdatering för Step by Step Interactive Training (KB898458)
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player 10 (KB911565)
Säkerhetsuppdatering för Windows XP (KB883939)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB893756)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896423)
Säkerhetsuppdatering för Windows XP (KB896424)
Säkerhetsuppdatering för Windows XP (KB896428)
Säkerhetsuppdatering för Windows XP (KB896688)
Säkerhetsuppdatering för Windows XP (KB899587)
Säkerhetsuppdatering för Windows XP (KB899588)
Säkerhetsuppdatering för Windows XP (KB899591)
Säkerhetsuppdatering för Windows XP (KB900725)
Säkerhetsuppdatering för Windows XP (KB901017)
Säkerhetsuppdatering för Windows XP (KB901190)
Säkerhetsuppdatering för Windows XP (KB901214)
Säkerhetsuppdatering för Windows XP (KB902400)
Säkerhetsuppdatering för Windows XP (KB903235)
Säkerhetsuppdatering för Windows XP (KB904706)
Säkerhetsuppdatering för Windows XP (KB905414)
Säkerhetsuppdatering för Windows XP (KB905749)
Säkerhetsuppdatering för Windows XP (KB905915)
Säkerhetsuppdatering för Windows XP (KB908519)
Säkerhetsuppdatering för Windows XP (KB911927)
Säkerhetsuppdatering för Windows XP (KB912919)
Säkerhetsuppdatering för Windows XP (KB913446)
Take-Out Weight Curling 2
The Never Ending Fantasy Machine
TopSpin
Torino 2006
Trivial Pursuit
Uppdatering för Windows XP (KB894391)
Uppdatering för Windows XP (KB896727)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB910437)
Vem vill bli miljonär
VGA USB Camera (2120)
Windows Genuine Advantage Notifications
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
VobSub v2.05 (Remove Only)
XoftSpy

OK, let's get this done first, here you said:
2006-02-06, 19:50
I want to get rid of the ldwbdi.exe file... and i would be pleased if you help me with that!! I gave you instructions here: 2006-02-06, 20:05 and yet this item is still in the log. I do not know if this is what is effecting Java?

O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe (file missing)

Follow these instructions if you still want this item removed. I want to make you aware that this: Windows Management Instrumentation can be located here: http://www.microsoft.com/whdc/system/pnppwr/wmi/default.mspx
but I can not locate information about this:
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) -Unknown owner - C:\WINDOWS\system32\ldwbdi.exe (file missing) nor can I find any information other than what you located earlier:
2006-02-06, 18:12 here: I have no idea what "ldwbdi.exe" are. Kaspersky found nothing but virusscan.jotti found this:
Dr.Web Found BACKDOOR.Trojan (probable variant)
NOD32 Found a variant of Win32/Delf.HZ
VBA32 Found Backdoor.Delf.150 (paranoid heuristics) (probable variant)
I you want to scan again before removing the item, the links are still there on this date: 2006-02-06, 18:12

I have no idea why the item was not removed before, I did supply you will removal instructions at your request?

Here are those instructions again:

1) Disable the Service
Click Start < Run and type services.msc
Scroll down to Windows Management Instrumentation Driver and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

2) Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Windows Management Instrumentation Driver and press OK.
OK any prompts, close HijackThis, and restart your computer.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(I suggest you remove the next two, your call)
O15 - Trusted Zone: *.blip.se
O15 - Trusted Zone: http://*.blip.se
O23 - Service: Windows Management Instrumentation Driver (ldwbdi) - Unknown owner - C:\WINDOWS\system32\ldwbdi.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\ldwbdi.exe <<< delete that file
Empty the recycle bin and restart the computer and make sure the items are gone from the log.

Your uninstall list, I am looking for bad programs or out of date secutity and I will not know all of your programs, but you should. You should use the list to decide what you no longer use and uninstall it.

J2SE Runtime Environment 5.0 Update 6 <<< this looks like a new version? If you communicate with Java, give them this version.

I would uninstall these unless they are on a CD
PartyPoker
Poker Million Online Poker
Poker Superstars Invitational

Post a new log so I can see ldwbdi.exe has been removed. I would see if any of the links I provided help, do try to install the new version once you remove the service. Here is the information tashi provided: http://forums.spybot.info/showthread.php?t=2559

For your information:
http://www.java.com/en/download/help/switchvm.xml

I hope this helps...Phil

Hello!

2) Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Windows Management Instrumentation Driver and press OK.



When i do this it says "Service "Windows Management Instrumentation Driver´was not found in the registry. Make sure you entered the short name of the service., vbExclamation"

OK, try this: (ldwbdi) without the brackets.:scratch:

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\ldwbdi.exe <<< delete that file
Empty the recycle bin and restart the computer and make sure the items are gone from the log.



It's gone... i can't find it...

Logfile of HijackThis v1.99.1
Scan saved at 17:44:45, on 2006-03-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\bin\ZLH.EXE
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Norman\bin\ZANDA.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\Norman\Npf\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

When i reboot i get a message that says "Operating system not found"...?:scratch:
I have to turn the pc off then start it again to enter windows...?!

"Nothing happens when i try to download ccleaner...?
It was the same with panda activescan, nothing happend when i push the "check now" button??!!" Thats because it was javascript!
how do you do this things?

I can't understand how you not can use Java??
I need java to everything i do...
When i buy tickets to cinema etc. when i play games on internet...
And when i search and downloading different kind of things on internet it's always javascript!!??

Your HJT log is clean of malware. I provided you with many links where you can get help with the Java problem. Here is another one: http://www.google.com/search?hl=en&lr=&q=troubleshoot+Java+problems&btnG=Search
I suggest you review those links or contact http://java.sun.com/developer/support/ for answers to your questions.

Thanks...pskelley
Safer Networking Forums

Ok thanks for your help pskelley :bigthumb:

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let Me, pskelley or Tashi know.

Thanks pskelley