Author Topic: A froggie's big mess.... needs a hand or two... (Read 9713 times)

Goatie · « **on:** August 24, 2005, 10:48:31 PM »

Noooooooooo! this is not on my computer, but on a friend's...

Over 800 baddies were removed with Ad-Aware... (and one good file too because of F-P) 70 some still to go...
The Ad-Aware's last log file is here: http://www.landzdown.com/index.php/topic,1327.msg7077.html#msg7077.

And here is the HJT log fresh from the oven:

removed and updated below....

Corrine · « **Reply #1 on:** August 24, 2005, 11:55:40 PM »

Let's hold off on this for now as I have requested that the user run miekiemoes' LQfix first, clean with Ad-Aware and then post a new AAW logfile.

Goatie · « **Reply #2 on:** August 25, 2005, 08:30:26 PM »

AFTER LQfix...

and he is not supposed to have a SpyBot or a hosts file program running on his machine... if he does, he does'nt know he has one!!! (Corrine ask me to inform you of this...)
Logfile of HijackThis v1.99.1
Scan saved at 17:41:27, on 2005-08-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Setup\imgreg.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\spool\spool.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunOnce: [*imgreg] C:\WINDOWS\system32\Setup\imgreg.exe rerun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Die Hard · « **Reply #3 on:** August 27, 2005, 09:59:46 PM »

http://www.danish-shareware.dk/soft/emptemp/
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other acconts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp
Do not use it yet

2. go here and download Ewido Security Suit:
http://www.ewido.net/en/download/

A quick guide is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf

Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Close the program for now

3. Open the control panel applet and "Add/Remove programs" and uninstall :
PrecisionTime
Date Manager
GMT

4. Open the taskmanager (Ctrl+Alt+Del) and end these processes:
C:\WINDOWS\system32\Setup\imgreg.exe
C:\Program Files\spool\spool.exe

5. Click on (Windowskey+R) and type Services.msc . In the right pane of the window that opens scroll down to NET Framework Service (.NET Connection Service and doubleclick on it. In the new window that opens, under "Startup type" set it to "Disabled" and hit the Stop button. Click "Apply".
Now....
In the right pane again, locate the Remote Procedure Call (RPC) service.
There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.
Right-click the Remote Procedure Call (RPC) service, and then click Properties.
Click the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
Click Apply, and then OK

6. Now we need to edit the registry, not a very complicated operation:
Click (Windowskey+R) and type Regedit>OK
In the Registry Editor, in the left panel, click the following " + ":
+ HKEY_LOCAL_MACHINE
+ Software
+ Microsoft
Ole
click on "Ole" and in the right panel, locate the entry:
EnableDCOM = "N"
Doubleclick upon it and in the field "Data" modify "N" to "Y"
No quotes.
Close the Registry Editor.

7. Go here and download Option ^Explicit´s "KillBox:
http://www.bleepingcomputer.com/files/killbox.php

Extract it to a folder of your convenience. Open the tool and checkmark "Delete on reboot". Then , in the field "Full path of file to delete" copy and paste:
C:\WINDOWS\system32\Setup\imgreg.exe
Click the red circle with a "X" and allow the system to reboot. Reboot into safe mode ( During the startup process, hit the F8-key repetedly)

8. Now, in safe mode, run HiJack This and checkmark the following details and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R3 - Default URLSearchHook is missing
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunOnce: [*imgreg] C:\WINDOWS\system32\Setup\imgreg.exe rerun
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

9. Reboot your computer , again into safe mode and navigate to the following files and folders and delete them (All might not be present):

C:\WINDOWS\System32\MS7531.html
C:\WINDOWS\System32\ms7531.exe
teekids.exe
C:\Program Files\spool\spool.exe
C:\WINDOWS\WindowsUpd4.exe
ati2vid.exe
C:\WINDOWS\Fonts\faxras.exe
C:\WINDOWS\AppPatch\acvga.exe
C:\WINDOWS\Web\printers\unjava.exe
C:\WINDOWS\inf\keyrun.exe
C:\WINDOWS\Config\ipjava.exe
C:\WINDOWS\system\eulas.exe
C:\WINDOWS\System32\canada.exe
C:\WINDOWS\system32\Setup\imgreg.exe
C:\Program Files\PrecisionTime\
C:\Program Files\Date Manager\
C:\Program Files\Fichiers communs\GMT\
C:\Program Files\eBay\eBay Toolbar2\
C:\WINDOWS\svchost.exe NOTE: This file to delete is located in the "Windows" folder, there is a legimit Windows file with the same name in the "System32" folder and that mustn´t be touched.

In order to find them, click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"

10. Now open The Ewido program and do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.

On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

11. Open the Emty Temp program . Then click "Empty all folders" (blue lightning) to delete the contents of the preset folders.

12. Reboot normally and post a new HiJack This log together with the report from Ewido.

Regards

Die Hard

Goatie · « **Reply #4 on:** August 27, 2005, 11:21:31 PM »

Die Hard,

Just to get your answer has me cry with relief!!! We'll do the work and attack the monsters heads on!!! This might take a few days to get through... have to go slow with baby steps... and do all by long distance phone calls and emails. Right now he has no protection at all. But I sent him AVG, Zone Alarm, SP2 and updates on CD's by mail yesterday and have all translations ready for him to install those properly and have some protection and be able to communicate more easily. But I will be back with results in a few days.

THANK YOU! THANK YOU! THANK YOU!!!

Die Hard · « **Reply #5 on:** August 27, 2005, 11:47:51 PM »

Goatie

Just a word of precaution. Installing SP2 on an infected system could cause trouble, so please advice your friend to wait with that until the system is cleaned.

regards

Die Hard

Goatie · « **Reply #6 on:** August 28, 2005, 08:27:31 AM »

DIE HARD... you have a perfect timing with your advice!!! I guess we were within less than 24 hours of making bad worse with trying to do better!

Thank you so much for being there.... and step dancin' for us!!!

We shall refrain from comitting the great SP2 sin in the Windows until we get your blessing for it!!!!

Die Hard · « **Reply #7 on:** August 28, 2005, 12:42:21 PM »

Quote from: Goatie on August 28, 2005, 08:27:31 AM

Thank you so much for being there.... and step dancin' for us!!!

[attachment deleted by admin]

Goatie · « **Reply #8 on:** August 28, 2005, 03:07:19 PM »

All translation is done now and off in the hands of the "lucky guy"

eheh! , and it was a very pleasant experience... DIE HARD you write with such clarity... precise details... I felt almost sorry I was'nt the one that could live through the experience after....

Goatie · « **Reply #9 on:** August 29, 2005, 09:54:51 AM »

DIE HARD... eheh! I see the girls now (did'nt yesterday) that would work for him... but I prefer the northern Besurk!!!

OK, here's where we're at for now:

1. and 2. done

3. those 3 (PrecisionTime, Date Manager, GMT) have disapeared from the Add/Remove list... cannot find them anymore!

4. C:\WINDOWS\system32\Setup\imgreg.exe and C:\Program Files\spool\spool.exe do not show in the Task Manager's processes (once he found the right TAB...

) Could HJT detect processes that would'nt show in the Task Manager???
All he finds there now is this:
msimn.exe 11976
Netscp.exe
SPOOLSV.EXE
OLFSNT 40.EXE
Skype.exe
Gestionnaire Anti...
CTFMON.EXE
Realplay.exe
Ikeymain.exe
LVCom.exe
HPZTSB04.EXE
WUAUCLT.EXE
EXPLORER.EXE
SVCHOST. EXE SERVICE LOCAL
SVCHOST. EXE
SVCHOST. EXE
SVCHOST. EXE
LSASS.EXE
SERVICE.EXE
WINLOGON.EXE
CSRSS.EXE
SVCHOST.EXE
SMSS.EXE
ewidoguard.exe
OSD.EXE
MouseAp.exe
Magickey.exe
Alg.exe
System.exe
Processus inactif

5. Cannot locate the NET framework service anywhere on the list.( I cannot find the exact translation for it either... looked all over french sites... and they refer to same terms as english... but his list is TOTAL french and so all words in reverse order and all starting with "service de..." which makes it a jungle... )
We're really stuck on that one... (but OK with RPC) and only reason we could'nt go any further....

but keeping the spirit... here's what he sent as his last signature:

Die Hard · « **Reply #10 on:** August 29, 2005, 10:46:18 AM »

Goatie

I suspect that some of those files are changing names after a reboot.Please ask your friens, if possible, that he shouldn´t reboot or turn off his computer unless we ask him to. I know this could be inconvenient, but we will soon get lost when the pests play hide and seek with filenames.

This is a renamed file:
OLFSNT 40.EXE
Ask if he could find a related entry in the HJT-log (among the O4-objects) and copy that one to you .Or, if he could e-mail a whole fresh copy of a log.

Quote

Could HJT detect processes that would'nt show in the Task Manager???

Yes, HJT reads the registry and sometimes orphaned entries appear in the logfile.

Quote

Cannot locate the NET framework service anywhere on the list.

That is added by the pest and should show up in the list in english, so it might be gone as well.

regards

Die Hard

Goatie · « **Reply #11 on:** August 29, 2005, 11:45:19 AM »

Thanks Die Hard...

Message transmitted... (hoping it gets there... had to use my hotmail because my ordinary mail can't go out right now.... grrrrrh!!!

)

You will get a fresh HJT log sometimes later today...

I appreciate a lot...

Goatie

Goatie · « **Reply #12 on:** August 29, 2005, 06:46:42 PM »

Logfile of HijackThis v1.99.1
Scan saved at 14:03:50, on 2005-08-29
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Goatie · « **Reply #13 on:** August 29, 2005, 06:48:15 PM »

And this is what is now in ADD/remove

Adobe photoshop
Antidote
Autocad 2005 francais
Autocad 2005 express tools volume 1-9autodesk DWF viewer
C-dilla licence management system
Correctif windows xp article base de connaissance 834707
Correctif window XP kb823559
Correctif window XP kb828741
Correctif window XP kb833987
Correctif window XP kb835732
Correctif window XP kb840987
Correctif window XP kb841356
Correctif window XP kb841533
Correctif window XP kb842773
Correctif window XP kb873376
Correctif window XP kb885523
Correctif window XP kb887822
Div4windows codec 4.0 alpha 50
Empty temp folder 2.8.3
Ewido security suite
Hijackthis 1.99.1
Hp photosamart serie printer (supprimer uniquement)
Ikeywork 6.12
Java web start
Logitech desktop messenger
Logitech IM video companion
Memory blaster
Microsoft .Net Framework 1.1
Microsoft .Net Framework 1.1 French Language Pack
Microsoft internet Explorer 6 SP1
Microsoft Office 2000 Sr-1 Professional
Microtek scanWizard
Nero - Burning Rom (Web installer)
Netscape (7.02)
Package du correctif Window XP (voir Q329115 pour plus de détails)
Primax PROFI (CD nécessaire)
QuickTime
rb32
RealPlayer Basic
Shockwave
Skype 1.2
Spool
Suppress Plus
TopFiveSearch.com Search Assistant
Trace Blaster
Viewpoint Media Player (Remove Only)
Windows XP Application Compatibility Update (Q319580)
Windows XP Hotfix (SPI) (See Q 309521 for more information)
Windows XP Hotfix (SPI) (See Q 329048 for more information)
Windows XP Hotfix (SPI) (See Q 329390 for more information)
Windows XP Hotfix (SPI) (See Q 329441 for more information)
Windows XP Hotfix (SPI) (See Q 329834 for more information)
Windows XP Hotfix (SPI) Q329170
Windows XP Hotfix (SPI) Q810577
Windows XP Hotfix (SPI) Q810833
Windows XP Hotfix (SPI) Q817606
Wireless Keyboard and Mouse

--------------------------------------------------------------------------------

Die Hard · « **Reply #14 on:** August 29, 2005, 11:35:40 PM »

Goatie

We´re making some progress, talking of dancing. It´s like twostep-----two steps forward and one back

But eventually we´ll have them all .

There was a confusion about this file: OLFSNT 40.EXE The name isn´t OLFSNTspace 40.EXE , it´s OLFSNT40.EXE and it´s a file belonging to MS office.

The list of installed programs revealed some more nasties .......

First, go here and download "RapidBlaster removal" :
http://www.wilderssecurity.net/downloads/rbkiller.exe
Run it from the download location and hit "Scan" and it will scan and delete the offending RB-files.
In the same folder as RapidBlaster killer is located, a log will be created; "scanlog.txt". Please post it here

Then go to "Add/Remove programs" and uninstall:
Logitech desktop messenger
Memory blaster
Spool
TopFiveSearch.com Search Assistant
Trace Blaster

Now, reboot into safe mode.
In safe mode run HJT and checkmark and fix the following lines.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Reboot, again into safe mode and delete the following files and folders:
C:\WINDOWS\System32\MS7531.html <<<file
C:\WINDOWS\System32\ms7531.exe <<<file
teekids.exe<<<file
ati2vid.exe <<<file Those files have to be searched for. Open "Start>Search" and choose "All files and folders" and click "Advanced search options" and select "Search System folders" and "Search hidden files and folders"
C:\Program Files\spool\spool.exe <<<file
C:\WINDOWS\WindowsUpd4.exe <<<file
C:\WINDOWS\Fonts\faxras.exe <<<file
C:\WINDOWS\AppPatch\acvga.exe <<<file
C:\WINDOWS\Web\printers\unjava.exe <<<file
C:\WINDOWS\inf\keyrun.exe <<<file
C:\WINDOWS\Config\ipjava.exe <<<file
C:\WINDOWS\system\eulas.exe <<<file
C:\WINDOWS\System32\canada.exe <<<file
C:\Program Files EXTERNES\MemoryBlaster\ <<<folder
C:\Program Files EXTERNES\Trace Blaster\ <<<folder
C:\Program Files\PrecisionTime\ <<<folder
C:\Program Files\Date Manager\ <<<folder
C:\Program Files\Fichiers communs\GMT\ <<<folder
C:\Program Files\eBay\eBay Toolbar2\ <<<folder
C:\Program Files\Copernic Agent\ <<<folder
C:\WINDOWS\svchost.exe<<<file

Now reboot normally and scan again with HiJack This and post a new logfile together with the "scanlog.txt", produced by RapidBlasterKiller .

If any of the steps above can´t be done or if any files aren´t present, just go ahead with the next step.

Regards

Die Hard

LandzDown Forum

News: