Some time ago, my computer started to run really slow, and i got an error message:
Zanda.exe encountered a problem and needed to close.

Zanda is the main file in my Norman virus scanner, and Norman found nothing wrong.

Then I scanned my computer for viruses at the housecall.trendmicro.com-site. It found a worm which was removed and three infected files which I deleted.

But after a re-start the problem was still there (slow computer and zanda.exe not working)!
Housecall.trendmicro.com found nothing wrong when I tried another search.

Can anyone help me?

Thanks a lot!
Hallvard

Hi,
read this
http://www.computing.net/security/wwwboard/forum/6433.html
Merry Christmas

I've tried both Ad-Aware and Spybot, and both programs found many (about 20) files which I deleted. But my problem is still there (slow computer and zanda.exe won't work).

So here's my HijackThis - log, hopefully anyone of you can help me?

Logfile of HijackThis v1.97.5
Scan saved at 21:58:57, on 25.12.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\My Download Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.db.no/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HTTP=proxy.online.no:8080;FTP=proxy.online.no:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.no;<local>
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

And merry christmas to you all!

It looks like the malware has disabled your AV. Norman runs with something like these...
C:\Norman\NVC\BIN\Zanda.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE

Possibly do a full uninstall/reinstall of Norman AV.
UPDATE!! your Spybot/AdAware/Hijackthis and run all three again and repost.

Oh, and unless you have a russian startpage, have HjT fix checked on this one:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.db.no/

Hi
I had the same problem with my new Acer-Notebook, it seems to be very slowly, then i searched for running processes.
After i disabled the ctfmon.exe process, the computer runs very faster.
That will not fix your problem with zanda.exe, but maybe the performace-problem!
For description of ctfmon.exe, look at:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q282/5/99.asp&NoWebContent=1

Happy new year!
Gerhard, Austria

Thanks Gerhard,
we're still waiting on a response from Hallvard. There are some things to fix on his log that should improve performance.

The AV has been disabled most likely, and there is spyware on that log,and yes ctfmon is running possibly at high cpu, with a 1600 256 it should cope; but not for long without SP1 protection.