A froggie's big mess.... needs a hand or two...

Goatie · August 30, 2005, 01:10:54 AM

DIE HARD,
I would have thought you'd be in bed by now in Sweden and here you are still step dancin' for us in Canada!!! :wink:

I will get at it in just a few hours... I'm 80 years old right now but will be back to 62 at 4 am !!! :tease:

...and he did'nt not reboot or shut down since those last logs... and will not until it says REBOOT NOW signed by YOU! :lol:

Thanks a million for the encouraging words (steps)... no money can buy that right now :)!

I guess you know you are a GREAT GUY??? so I won't say it again... but boy! nothing can stop me from thinking it!!!

Now... Go to sleep! :wink:

Goatie · August 31, 2005, 01:57:11 AM

Hi! Die Hard... Here I am, back to teach you a new dance...

with a lot of practice, you'll get to like it maybe???.... 8)

Here's what happened today and the results... well, some of them...

He downloaded "RapidBlaster removal" and installed it in Program Files !!! Ouch! yes... loose in there! He ran it but could never find a scanlog.txt anywhere there... nor with a search! :( Sorry about that one, I thought he knew by now... but... life is full of surprises sometimes!!!

Did uninstall:
Logitech desktop messenger
Memory blaster
Spool
TopFiveSearch.com Search Assistant
Trace Blaster

Ran HJT and fixed all but this one missing:
O4 - HKCU\..\Run: [TraceBlaster] C:\Program Files EXTERNES\Trace Blaster\tbtray.exe

Files removed or not found

C:\WINDOWS\System32\MS7531.html <<<fichier....deleted
C:\WINDOWS\System32\ms7531.exe <<<fichier....not found
teekids.exe <<<fichier....not found
ati2vid.exe <<<fichier ....not found
C:\Program Files\spool\spool.exe <<<fichier deleted
C:\WINDOWS\WindowsUpd4.exe <<<fichier ....not found
C:\WINDOWS\Fonts\faxras.exe <<<fichier....not found
C:\WINDOWS\AppPatch\acvga.exe <<<fichier....not found
C:\WINDOWS\Web\printers\unjava.exe <<<fichier....not found
C:\WINDOWS\inf\keyrun.exe <<<fichier....not found
C:\WINDOWS\Config\ipjava.exe <<<fichier....not found
C:\WINDOWS\system\eulas.exe <<<fichier....not found
C:\WINDOWS\System32\canada.exe <<<fichier....not found
C:\Program Files EXTERNES\MemoryBlaster\ <<<dossier deleted
C:\Program Files EXTERNES\Trace Blaster\ <<<dossier deleted
C:\Program Files\PrecisionTime\ <<<dossier....not found
C:\Program Files\Date Manager\ <<<dossier....not found
C:\Program Files\Fichiers communs\GMT\ <<<dossier deleted
C:\Program Files\eBay\eBay Toolbar2\ <<<dossier....not found
C:\Program Files\Copernic Agent\ <<<dossier deleted
C:\WINDOWS\svchost.exe<<<fichier deleted

He says these are now in the recycle bin
copernicagentbasicfr.ex
memoryblaster.exe
ms7531.htmlm
SPOOL.EXE-00C19DC.pf
svchost.exe
svchost.exe
SVCHOST.EXE
SVCHOST.EXE-3530F672.pf
traceblaster.exe
TRACEBLASTER.EXE-2083A750.pf

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 20:05:33, on 2005-08-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3a%5cprogram%20files%5cnetscape%5cnetscape%5csearchplugins%5cnetscape_france.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

:exorcize: :exorcize: :exorcize:

Thank you again... and again!

:)

Die Hard · August 31, 2005, 05:58:15 AM

Goatie :)

That dance is too complicated for me, besides I have to read the log from right to left :D :D :tease:

We have to have this line fixed and the file removed.
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Please open "Start>Run" and type Services.msc and look if this name couldn´t be found and stopped per instructions before.
NET Framework Service (.NET Connection Service)
That file is a downloader and will fill the computer with new files as soon as we get on the internet again, I´m afraid.

This is the only offending file that´s left, you did a great job :thumbsup:

regards

Die Hard :)

[attachment deleted by admin]

Goatie · August 31, 2005, 09:26:43 AM

Die Hard.... :lol:

OK, I'm up again, :breakkie: and feeling younger than last night :) so I go right back to work and will give it all I can..... before I jump in my car and drive all the way there and search for it myself if needs be!!! :boat: getting the tail of Katrina here today, so that would be by boat!!!

We're going to get that culprit, that is my mission today!
Oh! ILLUSION, why do I feel so good to see only one item when it is such a dangerous one and he's so hard to trace!

Off I go with my 4 hoofs... to work old lady goat!

Thank you Die Hard, you're still my hero even if you won't stand on your head for me! :tease:

Die Hard · August 31, 2005, 09:41:29 AM

The progress of Katrina has been on the headlines here as well. (progress? It doesn´t sound right when talking of an disastrous hurricane )

I hope you or your property weren´t hurt too badly :shock:

Die Hard :)

Goatie · August 31, 2005, 10:15:18 AM

It should have lost a lot of it's intensity once here... and I'm in the upper part of the city on top of the big rocky cape (not on the edge either, eheh!) so... all should go well here! :)

OK, I've done the translation and showed him how to do a screen capture... so maybe if he can practice that on his list of Services... I can spot that item he can't find up to now.... (although I thought he had !!!...) Surely that name must be in english... unless the bad guys pushed the devotion all the way to making language versions of it!!! :moreevil:

:) will be back later... with results I HOPE !

Goatie · August 31, 2005, 03:44:39 PM

WE GOT IT!!! :Yahoo: we did deactivate the darn thing!!! FINALLY!!!

Now please dear Grand Master Die Hard... tell me what I want to hear, I'm down on my knees, yes Sir! I AM!

This is a HJT log done right after, no reboot... normal mode...

Logfile of HijackThis v1.99.1
Scan saved at 11:27:30, on 2005-08-31
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\Keyboard\Ikeymain.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Service Internet Sympatico
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.radio-canada.ca/"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3a%5cprogram%20files%5cnetscape%5cnetscape%5csearchplugins%5cnetscape_france.src"); (C:\Documents and Settings\Claude\Application Data\Mozilla\Profiles\default\mw8b4oyw.slt\prefs.js)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\PROGRA~1\Druide\Antidote\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: Accélérateur de démarrage AutoCAD.lnk = C:\Program Files\Fichiers communs\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - Unknown owner - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe

ooooooooh! I hope nothing else sprouted in there......

Die Hard · August 31, 2005, 03:59:50 PM

Goatie !! :thumbsup: :thumbsup:

I´m the one who should be amazed. You did the e-mailing, the phoning...............and the rowing !!! :thumbsup:
All I did was sitting at my desk reading a log :P

I needn´t say, but look up every possible security program available, but don´t overdo it so he feels at unease with them and turn them off completely instead . Best is to keep a balance there.

By the way..........did I say the log is squeeky clean and you can stand up again. LOLOL!! :gwave:

Regards

Die Hard :)

Corrine · August 31, 2005, 04:39:21 PM

First,

Second, may I suggest clearing System Restore and setting a brand new clean restore point. Here are a couple links for illustration: http://www.atribune.org/sysrestore.html and http://www.bleepingcomputer.com/forums/tut56.html

Next, install SP2. Then, its time to party! :Yahoo:

Goatie · August 31, 2005, 05:11:21 PM

Saint Die Hard...

I email, phone and row all year long... and it never killed a critter !

I also read a lot of logs and it did'nt do it either.... !

The secret recipes you type under your fingers is what makes the MAGIC happen and I don't have and YOU do !!!

Now here is what I had in mind for him now:

-SP2 and updates
-Zone Alarm firewall (tested with GRC's Shields Up of course....)
-AVG antivirus
-Ad-Aware SE
-Spywareblaster
-Mitch's IE & OE settings

-CCleaner

In all this, only Zone alarm I don't know anything about yet but it seems to be the only free one available now from what I hear...
Just not sure if I should have him install SP2 first or after the firewall and AV...

If you have better idea... in your recipe book... I'd sure listen real good!!!

And how can I thank you, I feel so grateful to you! ...and your sense of humor and good encouragements all along were worth GOLD like fuel in a car... that keeps you going even when you're lost!

OK, I stand up now and let you enjoy the sight of a clean course... :lol:

Goatie · August 31, 2005, 05:23:49 PM

CORRINE... aah! SAINT YOU TOO !!!

You, who got us started on the road to recovery!!! ...and always there with T.L.C. when it is needed! here... there... everywhere!!! :lol:

And now, you remind me of this important step to take and I had completely forgotten about.... THANK YOU!!!!!

ahah! here I am rejoicing and jumping with joy... and my friend does'nt even know yet he's clean as a whistle !!!

Well will announce it to him... but make sure he goes through a few more steps before!!! eheh! ...just in case he wants to go WILD and announce it to the world BEFORE I SECURE HIM GOOD AND THIGHT!!! :tease:

mitch · August 31, 2005, 06:03:40 PM

ATTENTION CRAPWARE WRITERS

There is a new sheriff in FROGIETOWN and has a real mean posse
so take a hint and go now

Goatie · August 31, 2005, 07:51:51 PM

Aaaaah! you MITCH the One and Only PP of this earth! ...who got me from this :titanic: to this: :boat: a couple years ago (sure is handy up to this day... where I even used it to get my groceries today...) and has kept me going straight ever since! You might not have made a career as a HJT logger but you sure have all the secret dark corners of XP figured out! YEP! you're a PHANTOM and a PHIXER and I'm a PHROG and a PHIDDLE and PHADDLE!!! :tease:
....and now promoted to SHERIPHOOD!!! WOW!!! :Yahoo:

Ghost · August 31, 2005, 10:43:34 PM

may i suggest SpywareGuard from javacoolsoftware also.

E :)

Corrine · August 31, 2005, 11:51:11 PM

Excellent suggestion, eagle!

Goatie, know what I did for a friend whose kids did a job on the computer? I registered him here and subscribed him to the Update threads for the software on the computer. I then changed the email address to his work address so he'd know when there is an update. He has promised me that he'll make sure the updates are done.