LandzDown Forum

Noooooooooo! this is not on my computer, but on a friend's...  :shock:
Over 800 baddies were removed with Ad-Aware... (and one good file too because of F-P) 70 some still to go...
The Ad-Aware's last log file is here: http://www.landzdown.com/index.php/topic,1327.msg7077.html#msg7077 (http://www.landzdown.com/index.php/topic,1327.msg7077.html#msg7077).

And here is the HJT log fresh from the oven:

removed and updated below....

Let's hold off on this for now as I have requested that the user run miekiemoes' LQfix first, clean with Ad-Aware and then post a new AAW logfile.

AFTER LQfix...

and he is not supposed to have a SpyBot or a hosts file program running on his machine... if he does, he does'nt know he has one!!! (Corrine ask me to inform you of this...)
Logfile of HijackThis v1.99.1
Scan saved at 17:41:27, on 2005-08-25
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Setup\imgreg.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\spool\spool.exe
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunOnce: [*imgreg] C:\WINDOWS\system32\Setup\imgreg.exe rerun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

Goatie :)

Well.........here´s something for you to translate  :P

There are some very unpleasant files, the " * " indicates that they´re run in safe mode as well.

let´s do it this way:

First, print this page or copy it to a notepad sheet, when most of the cleaning process will be done without internet connection.

1.Go here and download "EmptyTempFolders" : http://www.danish-shareware.dk/soft/emptemp/
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\

your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other acconts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp 
Do not use it yet


2. go here and download Ewido Security Suit:
http://www.ewido.net/en/download/

A quick guide is found here:
  http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf

• Install ewido security suite
  
• Launch ewido, there should be an icon on your desktop double-click it.
  
• The program will now go to the main screen
  

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
  
• Then click on Start Update
  

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Close the program for now

3. Open the control panel applet and "Add/Remove programs" and uninstall :
PrecisionTime
Date Manager
GMT

4. Open the taskmanager (Ctrl+Alt+Del) and end these processes:
C:\WINDOWS\system32\Setup\imgreg.exe
C:\Program Files\spool\spool.exe

5. Click on (Windowskey+R) and type Services.msc . In the right pane of the window that opens scroll down to NET Framework Service (.NET Connection Service and doubleclick on it. In the new window that opens, under "Startup type" set it to "Disabled" and hit the Stop button. Click "Apply".
Now....
In the right pane again, locate the Remote Procedure Call (RPC) service.
There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.
Right-click the Remote Procedure Call (RPC) service, and then click Properties.
Click the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
Click Apply, and then OK

6. Now we need to edit the registry, not a very complicated operation:
Click (Windowskey+R) and type Regedit>OK
In the Registry Editor, in the left panel, click the following " + ":
+ HKEY_LOCAL_MACHINE
+ Software
+ Microsoft
Ole
click on "Ole" and in the right panel, locate the entry:
EnableDCOM = "N"
Doubleclick upon it and in the field "Data" modify "N" to "Y"
No quotes.
Close the Registry Editor. 


7. Go here and download Option ^Explicit´s "KillBox:
http://www.bleepingcomputer.com/files/killbox.php

Extract it to a folder of your convenience. Open the tool and checkmark "Delete on reboot". Then ,  in the field "Full path of file to delete" copy and paste:
C:\WINDOWS\system32\Setup\imgreg.exe
Click the red circle with a "X" and allow the system to reboot. Reboot  into safe mode  ( During the startup process, hit the F8-key repetedly)

8. Now, in safe mode, run HiJack This and checkmark the following details and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R3 - Default URLSearchHook is missing
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunOnce: [*imgreg] C:\WINDOWS\system32\Setup\imgreg.exe rerun
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

9. Reboot your computer , again into safe mode and navigate to the following files and folders and delete them (All might not be present):

C:\WINDOWS\System32\MS7531.html   
C:\WINDOWS\System32\ms7531.exe
teekids.exe
C:\Program Files\spool\spool.exe
C:\WINDOWS\WindowsUpd4.exe
ati2vid.exe
C:\WINDOWS\Fonts\faxras.exe
C:\WINDOWS\AppPatch\acvga.exe
C:\WINDOWS\Web\printers\unjava.exe
C:\WINDOWS\inf\keyrun.exe
C:\WINDOWS\Config\ipjava.exe
C:\WINDOWS\system\eulas.exe
C:\WINDOWS\System32\canada.exe
C:\WINDOWS\system32\Setup\imgreg.exe
C:\Program Files\PrecisionTime\
C:\Program Files\Date Manager\
C:\Program Files\Fichiers communs\GMT\
C:\Program Files\eBay\eBay Toolbar2\
C:\WINDOWS\svchost.exe  NOTE: This file to delete is located in the "Windows" folder, there is a legimit Windows file with the same name in the "System32" folder and that mustn´t be touched.

In order to find them, click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes"

10. Now open The Ewido program and do the following:

• Click on scanner
  
• Click on Complete System Scan and the scan will begin.
  

On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".

• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  
• Click Save report.
  
• Save the report .txt file to your desktop.
  

Now close ewido security suite.

11. Open the Emty Temp program . Then click "Empty all folders" (blue lightning) to delete the contents of the preset folders.

12. Reboot normally and post a new HiJack This log together with the report from Ewido.

Regards

Die Hard :)

Die Hard, 

Just to get your answer has me cry with relief!!!  We'll do the work and attack the monsters heads on!!! This might take a few days to get through... have to go slow with baby steps... and do all by long distance phone calls and emails. Right now he has no protection at all. But I sent him AVG, Zone Alarm, SP2 and updates on CD's by mail yesterday and have all translations ready for him to install those properly and have some protection and be able to communicate more easily. But I will be back with results in a few days.

THANK YOU! THANK YOU! THANK YOU!!!  :Yahoo:

Goatie :)

Just a word of precaution. Installing SP2 on an infected system could cause trouble, so please advice your friend to wait with that until the system is cleaned.

regards

Die Hard :)

DIE HARD... you have a perfect timing with your advice!!!  I guess we were within less than 24 hours of making bad worse with trying to do better!  :shock:

Thank you so much for being there.... and step dancin' for us!!!  :)  We shall refrain from comitting the great SP2 sin in the Windows until we get your blessing for it!!!!  :thumbsup:

Quote from: Goatie on August 28, 2005, 08:27:31 AM


Thank you so much for being there.... and step dancin' for us!!!  :) 

[attachment deleted by admin]

All translation is done now and off in the hands of the "lucky guy"  :twisted: eheh! , and it was a very pleasant experience... DIE HARD you write with such clarity... precise details... I felt almost sorry I was'nt the one that could live through the experience after....  :tease:

DIE HARD... eheh! I see the girls now (did'nt yesterday) that would work for him... but I prefer the northern Besurk!!!

OK, here's where we're at for now:

1. and 2. done

3. those 3 (PrecisionTime, Date Manager, GMT) have disapeared from the Add/Remove list... cannot find them anymore!

4. C:\WINDOWS\system32\Setup\imgreg.exe and C:\Program Files\spool\spool.exe do not show in the Task Manager's processes (once he found the right TAB... :-D) Could HJT detect processes that would'nt show in the Task Manager???
All he finds there now is this:
msimn.exe   11976
Netscp.exe
SPOOLSV.EXE
OLFSNT 40.EXE
Skype.exe
Gestionnaire Anti...
CTFMON.EXE
Realplay.exe
Ikeymain.exe
LVCom.exe
HPZTSB04.EXE
WUAUCLT.EXE
EXPLORER.EXE
SVCHOST. EXE  SERVICE LOCAL
SVCHOST. EXE 
SVCHOST. EXE 
SVCHOST. EXE 
LSASS.EXE
SERVICE.EXE
WINLOGON.EXE
CSRSS.EXE
SVCHOST.EXE
SMSS.EXE
ewidoguard.exe
OSD.EXE
MouseAp.exe
Magickey.exe
Alg.exe
System.exe
Processus inactif

5. Cannot locate the NET framework service anywhere on the list.( I cannot find the exact translation for it either... looked all over french sites... and they refer to same terms as english... but his list is TOTAL french and so all words in reverse order and all starting with "service de..." which makes it a jungle... )
We're really stuck on that one... (but OK with RPC) and only reason we could'nt go any further....

but keeping the spirit... here's what he sent as his last signature:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.mediom.com%2F%7Emarpelt%2Fclaude.jpg&hash=2ba9fa992a05f55457b8877a9de9814d78e4be80)

Goatie  :)

I suspect that some of those files are changing names after a reboot.Please ask your friens, if possible, that he shouldn´t reboot or turn off his computer unless we ask him to. I know this could be inconvenient, but we will soon get lost when the pests play hide and seek with filenames.

This is a renamed file:
   OLFSNT 40.EXE
Ask if he could find a related entry in the HJT-log (among the O4-objects) and copy that one to you .Or, if he could e-mail a whole fresh copy of a log.

QuoteCould HJT detect processes that would'nt show in the Task Manager???

Yes, HJT reads the registry and sometimes orphaned entries appear in the logfile.

QuoteCannot locate the NET framework service anywhere on the list.

That is added by the pest and should show up in the list in english, so it might be gone as well.

regards

Die Hard :)

Thanks Die Hard...  :(

Message transmitted... (hoping it gets there... had to use my hotmail because my ordinary mail can't go out right now.... grrrrrh!!!  :x)

You will get a fresh HJT log sometimes later today...

I appreciate a lot...

Goatie

Logfile of HijackThis v1.99.1
Scan saved at 14:03:50, on 2005-08-29
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

And this is what is now in ADD/remove

Adobe photoshop
Antidote
Autocad 2005 francais
Autocad 2005 express tools volume 1-9autodesk DWF viewer
C-dilla licence management system
Correctif windows xp article base de connaissance 834707 
Correctif window XP kb823559
Correctif window XP kb828741
Correctif window XP kb833987
Correctif window XP kb835732
Correctif window XP kb840987
Correctif window XP kb841356
Correctif window XP kb841533
Correctif window XP kb842773
Correctif window XP kb873376
Correctif window XP kb885523
Correctif window XP kb887822
Div4windows codec 4.0 alpha 50
Empty temp folder 2.8.3
Ewido security suite
Hijackthis 1.99.1
Hp photosamart serie printer (supprimer uniquement)
Ikeywork 6.12
Java web start
Logitech desktop messenger
Logitech IM video companion
Memory blaster
Microsoft .Net Framework 1.1
Microsoft .Net Framework 1.1 French Language Pack
Microsoft internet Explorer 6 SP1
Microsoft Office 2000 Sr-1 Professional
Microtek scanWizard
Nero - Burning Rom (Web installer)
Netscape (7.02)
Package du correctif Window XP (voir Q329115 pour  plus de détails)
Primax PROFI (CD nécessaire)
QuickTime
rb32
RealPlayer Basic
Shockwave
Skype 1.2
Spool
Suppress Plus
TopFiveSearch.com Search Assistant
Trace Blaster
Viewpoint Media Player (Remove Only)
Windows XP Application Compatibility Update (Q319580)
Windows XP Hotfix (SPI) (See Q 309521 for more information)
Windows XP Hotfix (SPI) (See Q 329048 for more information)
Windows XP Hotfix (SPI) (See Q 329390 for more information)
Windows XP Hotfix (SPI) (See Q 329441 for more information)
Windows XP Hotfix (SPI) (See Q 329834 for more information)
Windows XP Hotfix (SPI) Q329170
Windows XP Hotfix (SPI) Q810577
Windows XP Hotfix (SPI) Q810833
Windows XP Hotfix (SPI) Q817606
Wireless Keyboard and Mouse

--------------------------------------------------------------------------------

Goatie :)

We´re making some progress, talking of dancing. It´s like twostep-----two steps forward and one back :) :)
But eventually we´ll have them all .

There was a confusion about this file: OLFSNT 40.EXE The name isn´t OLFSNTspace 40.EXE , it´s OLFSNT40.EXE and it´s a file belonging to MS office.

The list of installed programs revealed some more nasties .......

First, go here and download "RapidBlaster removal" :
http://www.wilderssecurity.net/downloads/rbkiller.exe
Run it from the download location and hit "Scan" and it will scan and delete the offending RB-files.
In the same folder as RapidBlaster killer is located, a log will be created; "scanlog.txt". Please post it here

Then go to "Add/Remove programs" and uninstall:
Logitech desktop messenger
Memory blaster
Spool
TopFiveSearch.com Search Assistant
Trace Blaster

Now, reboot into safe mode.
In safe mode run HJT and checkmark and fix the following lines.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.s1s1s1search.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.s1s1s1search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = C:\WINDOWS\System32\MS7531.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O4 - HKLM\..\Run: [MS7531] "C:\WINDOWS\System32\ms7531.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [spool 0l7044] "C:\Program Files\spool\spool.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [*faxras] C:\WINDOWS\Fonts\faxras.exe
O4 - HKLM\..\Run: [*acvga] C:\WINDOWS\AppPatch\acvga.exe
O4 - HKLM\..\Run: [*unjava] C:\WINDOWS\Web\printers\unjava.exe
O4 - HKLM\..\Run: [*keyrun] C:\WINDOWS\inf\keyrun.exe
O4 - HKLM\..\Run: [*ipjava] C:\WINDOWS\Config\ipjava.exe
O4 - HKLM\..\Run: [*eulas] C:\WINDOWS\system\eulas.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\canada.exe -N
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files EXTERNES\MemoryBlaster\MemoryBlaster.exe
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Fichiers communs\GMT\GMT.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {214868A8-F71B-473E-8ECF-6EE1DE6B91D8} - http://pms.localscripts.nl/plugins/1/ms7531_nl.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
O20 - Winlogon Notify: imgreg - C:\DOCUME~1\Claude\LOCALS~1\Temp\gergmi.dat (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Reboot, again into safe mode and delete the following files and folders:
C:\WINDOWS\System32\MS7531.html  <<<file   
C:\WINDOWS\System32\ms7531.exe  <<<file
teekids.exe<<<file
ati2vid.exe  <<<file Those files have to be searched for. Open "Start>Search" and choose "All files and folders" and click "Advanced search options" and select "Search System folders" and "Search hidden files and folders"
C:\Program Files\spool\spool.exe  <<<file
C:\WINDOWS\WindowsUpd4.exe  <<<file
C:\WINDOWS\Fonts\faxras.exe  <<<file
C:\WINDOWS\AppPatch\acvga.exe  <<<file
C:\WINDOWS\Web\printers\unjava.exe  <<<file
C:\WINDOWS\inf\keyrun.exe  <<<file
C:\WINDOWS\Config\ipjava.exe  <<<file
C:\WINDOWS\system\eulas.exe  <<<file
C:\WINDOWS\System32\canada.exe  <<<file
C:\Program Files EXTERNES\MemoryBlaster\  <<<folder
C:\Program Files EXTERNES\Trace Blaster\  <<<folder
C:\Program Files\PrecisionTime\  <<<folder
C:\Program Files\Date Manager\  <<<folder
C:\Program Files\Fichiers communs\GMT\  <<<folder
C:\Program Files\eBay\eBay Toolbar2\  <<<folder
C:\Program Files\Copernic Agent\  <<<folder
C:\WINDOWS\svchost.exe<<<file

Now reboot normally and scan again with HiJack This and post a new logfile together with the "scanlog.txt", produced by RapidBlasterKiller .

If any of the steps above can´t be done or if any files aren´t present, just go ahead with the next step.

Regards

Die Hard :)

DIE HARD,
I would have thought you'd be in bed by now in Sweden and here you are still step dancin' for us in Canada!!!  :wink:

I will get at it in just a few hours... I'm 80 years old right now but will be back to 62 at 4 am !!!  :tease:

...and he did'nt not reboot or shut down since those last logs... and will not until it says REBOOT NOW signed by YOU!  :lol:


Thanks a million for the encouraging words (steps)... no money can buy that right now :)!

I guess you know you are a GREAT GUY??? so I won't say it again... but boy! nothing can stop me from thinking it!!!

Now... Go to sleep!   :wink:

Hi! Die Hard... Here I am, back to teach you a new dance... (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.mediom.com%2F%7Emarpelt%2FDieHardUpsideDown.gif&hash=5ef367de782b373e84bfae906ee3e17ba2c5da86)
with a lot of practice, you'll get to like it maybe???....  8)

Here's what happened today and the results... well, some of them...

He downloaded "RapidBlaster removal" and installed it in Program Files !!! Ouch! yes... loose in there! He ran it but could never find a scanlog.txt anywhere there... nor with a search!  :(  Sorry about that one, I thought he knew by now... but... life is full of surprises sometimes!!!

Did uninstall:
Logitech desktop messenger
Memory blaster
Spool
TopFiveSearch.com Search Assistant
Trace Blaster

Ran HJT and fixed all but this one missing:
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe

Files removed or not found

C:\WINDOWS\System32\MS7531.html  <<<fichier....deleted
C:\WINDOWS\System32\ms7531.exe  <<<fichier....not found
teekids.exe  <<<fichier....not found
ati2vid.exe  <<<fichier ....not found
C:\Program Files\spool\spool.exe  <<<fichier  deleted
C:\WINDOWS\WindowsUpd4.exe  <<<fichier ....not found
C:\WINDOWS\Fonts\faxras.exe  <<<fichier....not found
C:\WINDOWS\AppPatch\acvga.exe  <<<fichier....not found
C:\WINDOWS\Web\printers\unjava.exe  <<<fichier....not found
C:\WINDOWS\inf\keyrun.exe  <<<fichier....not found
C:\WINDOWS\Config\ipjava.exe  <<<fichier....not found
C:\WINDOWS\system\eulas.exe  <<<fichier....not found
C:\WINDOWS\System32\canada.exe  <<<fichier....not found
C:\Program Files EXTERNES\MemoryBlaster\  <<<dossier  deleted
C:\Program Files EXTERNES\Trace Blaster\  <<<dossier  deleted
C:\Program Files\PrecisionTime\  <<<dossier....not found
C:\Program Files\Date Manager\  <<<dossier....not found
C:\Program Files\Fichiers communs\GMT\  <<<dossier  deleted
C:\Program Files\eBay\eBay Toolbar2\  <<<dossier....not found
C:\Program Files\Copernic Agent\  <<<dossier  deleted
C:\WINDOWS\svchost.exe<<<fichier deleted

He says these are now in the recycle bin
copernicagentbasicfr.ex
memoryblaster.exe
ms7531.htmlm
SPOOL.EXE-00C19DC.pf
svchost.exe
svchost.exe
SVCHOST.EXE
SVCHOST.EXE-3530F672.pf
traceblaster.exe
TRACEBLASTER.EXE-2083A750.pf

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 20:05:33, on 2005-08-30
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe


:exorcize:                                                             :exorcize:                                                                      :exorcize:

Thank you again...  and again!

:)

Goatie :)

That dance is too complicated for me, besides I have to read the log from right to left   :D :D  :tease:

We have to have this line fixed and the file removed.
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Please open "Start>Run" and type Services.msc and look if this name couldn´t be found and stopped per instructions before.
NET Framework Service (.NET Connection Service)
That file is a downloader and will fill the computer with new files as soon as we get on the internet again, I´m afraid.


This is the only offending file that´s left, you did a great job :thumbsup:

regards

Die Hard :)

[attachment deleted by admin]

Die Hard....  :lol:

OK, I'm up again,  :breakkie: and feeling younger than last night  :) so I go right back to work and will give it all I can.....  before I jump in my car and drive all the way there and search for it myself if needs be!!!   :boat: getting the tail of Katrina here today, so that would be by boat!!!

We're going to get that culprit, that is my mission today!
Oh! ILLUSION, why do I feel so good to see only one item when it is such a dangerous one and he's so hard to trace!

Off I go with my 4 hoofs... to work old lady goat! 

Thank you Die Hard, you're still my hero even if you won't stand on your head for me!  :tease:

The progress of Katrina has been on the headlines here as well. (progress? It doesn´t sound right when talking of an disastrous hurricane )

I hope you or your property weren´t hurt too badly  :shock:

Die Hard :)

It should have lost a lot of it's intensity once here... and I'm in the upper part of the city on top of the big rocky cape (not on the edge either, eheh!) so... all should go well here!  :)

OK, I've done the translation and showed him how to do a screen capture... so maybe if he can practice that on his list of Services... I can spot that item he can't find up to now.... (although I thought he had !!!...) Surely that name must be in english... unless the bad guys pushed the devotion all the way to making language versions of it!!!  :moreevil:

:) will be back later... with results I HOPE !

WE GOT IT!!!  :Yahoo: we did deactivate the darn thing!!! FINALLY!!!

Now please dear Grand Master Die Hard... tell me what I want to hear, I'm down on my knees, yes Sir! I AM!

This is a HJT log done right after, no reboot... normal mode...

Logfile of HijackThis v1.99.1
Scan saved at 11:27:30, on 2005-08-31
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

ooooooooh! I hope nothing else sprouted in there......

Goatie !!  :thumbsup:  :thumbsup:

I´m the one who should be amazed. You did the e-mailing, the phoning...............and the rowing !!!  :thumbsup:
All I did was sitting at my desk reading a log  :P

I needn´t say, but look up every possible security program available, but don´t overdo it so he feels at unease with them and turn them off completely instead . Best is to keep a balance there.

By the way..........did I say the log is squeeky clean and you can stand up again.  LOLOL!!   :gwave:

Regards

Die Hard :)

First, (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.floraworld.com%2Fimages%2Foccassion_location%2Fcongratulations.jpg&hash=f3d7b00a788bac710ab9b6c6a5e85f7819025a7b)

Second, may I suggest clearing System Restore and setting a brand new clean restore point.  Here are a couple links for illustration:  http://www.atribune.org/sysrestore.html and http://www.bleepingcomputer.com/forums/tut56.html

Next, install SP2.  Then, its time to party!  :Yahoo:

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fforums.manageyourpc.com%2Fstyle_emoticons%2Fdefault%2Fangel_not.gif&hash=9cca921d4c8772a8a293a948adb866c16106c368)Saint Die Hard... (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fforums.manageyourpc.com%2Fstyle_emoticons%2Fdefault%2Fangel_not.gif&hash=9cca921d4c8772a8a293a948adb866c16106c368)

I email, phone and row all year long... and it never killed a critter !

I also read a lot of logs and it did'nt do it either.... !

The secret recipes you type under your fingers is what makes the MAGIC happen and  I don't have and YOU (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fforums.manageyourpc.com%2Fstyle_emoticons%2Fdefault%2Fthumbup1.gif&hash=9c7af214695fa2072b3b6b25705cd6c8d09b4b47) do !!!  

Now here is what I had in mind for him now:

-SP2 and updates
-Zone Alarm firewall (tested with GRC's Shields Up of course....)
-AVG antivirus
-Ad-Aware SE
-Spywareblaster
-Mitch's IE & OE settings

-CCleaner

In all this, only Zone alarm I don't know anything about yet but it seems to be the only free one available now from what I hear...
Just not sure if I should have him install SP2 first or after the firewall and AV...

If you have better idea... in your recipe book... I'd sure listen real good!!!

And how can I thank you, I feel so grateful to you! ...and your sense of humor and good encouragements all along were worth GOLD like fuel in a car... that keeps you going even when you're lost!

OK, I stand up now and let you enjoy the sight of a clean course... :lol:

                                              (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.mediom.com%2F%7Emarpelt%2Fclaude2.jpg&hash=af5e3e75cec6238d579adeb861d02e578b345ade)

CORRINE... aah! SAINT YOU TOO !!!

You, who got us started on the road to recovery!!! ...and always there with T.L.C. when it is needed! here... there... everywhere!!!  :lol:

And now, you remind me of this important step to take and I had completely forgotten about.... THANK YOU!!!!!

ahah! here I am rejoicing and jumping with joy... and my friend does'nt even know yet he's clean as a whistle !!!

Well will announce it to him... but make sure he goes through a few more steps before!!!  eheh! ...just in case he wants to go WILD and announce it to the world BEFORE I SECURE HIM GOOD AND THIGHT!!!  :tease:

ATTENTION CRAPWARE WRITERS

There is a new sheriff in FROGIETOWN and has a real mean posse
so take a hint and go now

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fmembers.accessbee.com%2Fmitch%2Fscumsheriff.jpg&hash=feceff9f67b9ce7f7fe031bdbe1d52091f222baf)

Aaaaah! you MITCH the One and Only PP of this earth! ...who got me from  this :titanic: to this:  :boat: a couple years ago (sure is handy up to this day... where I even used it to get my groceries today...) and has kept me going straight ever since! You might not have made a career as a HJT logger but you sure have all the secret dark corners of XP figured out! YEP! you're a PHANTOM and a PHIXER and I'm a PHROG and a PHIDDLE and PHADDLE!!!  :tease:
....and now promoted to SHERIPHOOD!!! WOW!!!  :Yahoo:

may i suggest SpywareGuard from javacoolsoftware also.

E :)

Excellent suggestion, eagle! 

Goatie, know what I did for a friend whose kids did a job on the computer?  I registered him here and subscribed him to the Update threads for the software on the computer.  I then changed the email address to his work address so he'd know when there is an update.  He has promised me that he'll make sure the updates are done. 

Wow! Here meet an Eagle, a Rose, a Goat, a Phantom and a Dancer ! How much better can it get...
bird, flower, animal, air, human getting their wings, petals, hoofs, breeze and steps together!

I'm taking notes..... notes... notes... 

and going for a long ZZZZZZZZZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz....

Once upon a time in the LandZdown.........

:wink: