clicking mouse

[angryof]

Hi,

Sadly I have been visiting some untoward sites and have picked up something udetectable by avg, wormguard, symantec online, adaware and tds.

It usually starts when I am online but sometimes initiates offline.

It involves the mouse left clicking rapidly. It will occur for about 30 secs and then go away for some time. It will click whichever button is selected on the desktop. eg if I have selected to open winamp on the taskbar/ destop, I will get about twenty instances of that software opening

I dont really know what is going on.

I also notice that pegasis my mail client will have a momentary lag in performance when writing a message. It seems to me to be like a sreen shot being taken.


Love to find out what this mouse clicking is before I try a reformat again.

[Pieter_Arntz]

Hi angryof,

I do have a suspicion. To confirm this could you post your HijackThis log
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

[angryof]

Thanks Pieter,

Here is the log. Do you want start up log too?

Logfile of HijackThis v1.95.0
Scan saved at 1:09:13 PM, on 7/14/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\SECURITY\HI JACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au
F1 - win.ini: load=C:\MEDIAPAC\vi_grm.exe
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [ZRR] D:\SETUP.EXE
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: vpsched.lnk = C:\Program Files\Matrox Video Tools\vpsched.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com

[Pieter_Arntz]

Hi angryof,

I don't need the StartUpList, but I do need the complete HT log.
From what I can see now.

O4 - HKLM\..\Run: [ZRR] D:\SETUP.EXE is unknown to me.

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
is not needed.

O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
not needed either

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
ditto

O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
can be disabled

O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
No use for it starting up. Doesn't provide resident protection.

O4 - Startup: vpsched.lnk = C:\Program Files\Matrox Video Tools\vpsched.exe
Not sure if it really needs to be starting up

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Champion among resource hogs

O15 - Trusted Zone: http://free.aol.com
Security risk

Try and see if disabling at least a few of the above helps and look up D:\SETUP.EXE, rightclick it and see if the properties reveal anything about it's purpose.

Regards,

Pieter

[angryof]

Thanks Pieter,

I will try all that I really appreciate it.

Angry of

[angryof]

Pieter,

I am also worried that win32.dll keeps trying to get passed sygate.

Sygate is the only firewall picking it up. The message says win 32 core aplication is blocked.

I have blokced it permanently but it keeps asking. Is this an indication of something wrong?

[Pieter_Arntz]

Does the message correspond with the one mentioned here: http://www.sygate.com/support/technotes/ssd_sms/SPFFAQ011.htm ?

Several virii are known that use win32.dll as a filename, so it might not be a bad idea to do an online scan.
You can find several here: http://www.wilders.org/free_services.htm

It might help some of our virus-experts if you could search win32.dll on your computer and let us know where it is found and what the properties are.

I just noticed that there is still a component of Outpost active as well.
This could lead to problems.

Regards,

Pieter

[angryof]

Hi Pieter,

Here is something that just popped up on wormguard after I did an online trojan scan.

Prbably harmless but here are the details.FILE: c:\temp\unregister.bat
SIZE: 520 bytes
-------------------------------FILE BEGINS-------------------------------
Echo off
regsvr32 /u /s "C:\TEMP\TDECNTRL\TDECntrl.dll"
ELETE1
del "C:\TEMP\TDECNTRL\TDECntrl.dll"
if exist "C:\TEMP\TDECNTRL\TDECntrl.dll" goto DELETE1
regsvr32 /u /s "C:\TEMP\TDECNTRL\TDE.dll"
ELETE2
del "C:\TEMP\TDECNTRL\TDE.dll"
if exist "C:\TEMP\TDECNTRL\TDE.dll" goto DELETE2
del "C:\TEMP\TDECNTRL\md5full.tde"
del "C:\TEMP\TDECNTRL\psapi.dll"
del "C:\TEMP\TDECNTRL\trojanscanres.html"
del "C:\WINDOWS\Downloaded Program Files\TDECntrl.INF"
rmdir "C:\TEMP\TDECNTRL"
del "C:\TEMP\unregister.bat"

I did a search for Win32.dll and it didn't show up anywhere on my computer.

but I did get these:

Win32s16.dll in C:\WINDOWS\SYSTEM
and

Win32s16.dll C:\WINDOWS\SYSBCKUP

the win32 asking permission from sygate could be as you described but I dont know.

I have been online for over one hour now and the clicking mouse hasn't occurred but I will watch over the next few days and let you know.

also allowed sygate to let win 32 through for ICMP

I wish that these guys would apply themselves to hacking into the cancer cell or similar, I think they could use their genius in a better way.


thanks for your expertise once again

Angry of

Pieter,

Just waiting for your answer re the last question. My computer has broken down so borrowing one.

I am hoping that my last statement isnt so silly that you just ignored it.

cheers,

angry of

[Jooske]

Hi Angryof,
seeing Pieter not online at the moment, googled for that TDECNTRL, only place where i see it mentioned is =here in somebody else's hijackthis log where it was not removed so it might be ok.
Only thing is i did online scans in various places and never had that WG warning so...... was this from housecall or another online scanner?

[Pieter_Arntz]

Quote:

quoting: angry of link=board=31;threadid=11262;start=0#msg74549 date=1058703932]
I am hoping that my last statement isnt so silly that you just ignored it.

Not at all. I was just waiting for answers to other questions I asked.
The unregister.bat is from www.trojanscan.com
It cleans out the files that are put on your system in order to perform the scan.

Regards,

Pieter

[Pieter_Arntz]

As an additional tool that might help:
http://www.turboware.com/WhatsHappening.htm
It gives you the opportunity to see what program is using a certain dll and vice versa.

HTH,

Pieter

[Jooske]

I wondered if you also went to housecall. Since they changed something on their site late june i can't get update nor onlinescans anymore there, was not able to get any proper support to solve the ever returning error 28 so i don't recommend going there anymore till that is solved properly for all users to avoid further frustrations and spoiling time; the quality of the scans i can't say nothing about since it is unavailable for many users.
This is what i mean relating to your possible scan results and if you went there to go for another place for a second opinion.
Since you seem to have used another place, which results Pieter confirmed about removing the temp files after scanning sounds ok.

I'm sure your computer's situation is not hopeless so take the steps and answer ever question Pieter asks please, which is a learning experience for others too!

[angryof]

HI,


My old computer is no good anymore the connection for the keyboard has broken off so I am using a small computer which is the only one allowed onto the internet from now on.

This makes things a little bit more complicated. I have installed the old hard disc and am getting the clicking mouse problem again.

will continue until we kill this thing.


I have just had this message from wormguard.

Risk Assessment: Medium

*> Suspicious strings detected.
WormGuard has found a few strings in this file that are suspicious.

*> Contains suspicious string: virus
LINE=......
not giving anymore details.

Her is the hijack this log for the new computer. Hoping we can get to the bottom of this.

Here is a site which I believe is related to my problem.

www.drbizzaro.com.

If I visit their chat rooms main, they are able to change my home page broser settings to their site.


They have something on my computer at least. It could be one of the other sites linked to them who are doing this I believe.

I spose if I wasn't visiting with this attitude

I would not now have this response :'(

thanks

Angry of

[angryof]

I forgot to past the hijack this log.

Here it is.

Logfile of HijackThis v1.95.0
Scan saved at 2:58:50 PM, on 7/24/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WORMGUARD\WGUARD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\SECURITY\HI JACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Office.lnk = D:\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

[Andrew B.]

Hi,

I noticed you mention that the Win32 thing continued to try to call out. How did you search to find it? The reason I ask is if you searched by specifying win32*.dll you could have missed it. If that's what you did, try searching for Win32dll (no dot in there) and then just Win32

[Pieter_Arntz]

Hi angryof,

There is nothing wrong in your log.
To protect your browser settings install SpywareGuard:
http://www.wilderssecurity.net/spywareguard.html
And follow the advise given here: http://www.net-integration.net/cgi-bin/for...=ST;f=38;t=3051

Regards,

Pieter

[Yinda]

Hi,

One friend of mine has the same or similar problem. From time to time, when viewing a window, things move very fast as if the mouse was clicked. Sometimes the filelist is moving so fast that he is unable to click on one file.

He has eSafe and nearly no other tool.

As an urgent action, I first asked him to scan with http://www.spywareinfoforum.com/xscan.php. However, I wonder whether the scan was efficient. Nothing was found by xscan but, later, I installed Spybot S&D for him and some 60-70 items were found.

Later, SpywareBlaster was installed, then Ad-aware + ad-watch. A few items were found by Ad-aware.

That's nearly all I can do. The mouse looks like more stable now but I still have seen ramdom movements after all the cleaning operations.

Here is his HijackThis.log. I checked nzdd and nwiz but they seem legitimate. Backweb may be adware but should not be really harmful. Wanadoo is the ISP.

Logfile of HijackThis v1.94.0
Scan saved at 22:58:14, on 25/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Wanadoo, Internet avec France Télécom
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\PROGRA~1\eSafe\Protect\espie.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [eSafe Protect] "C:\Program Files\eSafe\Protect\ESPWatch.exe" /delay=5
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Wanadoo (HKCU)
O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/dribnif/fr/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/fr/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37709.5265393518
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab


He uses a wireless mouse. One moment I thought that maybe his mouse got some parasites, but I have seen similar posts in a French forum.

What is your opinion please ? Thanks in advance.

Regards,

Yinda

[Pieter_Arntz]

Hi Yinda,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

Then reboot.

Another one that could be causing it is:
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
but since that is a (sometimes) needed mousedriver, it would be better to disable that with a Startupmanager or in msconfig (easier to restore).

If that does not do the trick, please have your friend download the latest version of HijackThis and post another log.

Regards,

Pieter

[Yinda]

Hi Pieter,

What is "Fix checked" please ? If this means removal, do you mean that the Logitech mouse driver LVCOMS.EXE should not be there ?

I have just downloaded HijackThis 1.95 and sent it to my friend.

Thanks,

Yinda

[TonyKlein]

It means that the application will no longer be launched automatically as Windows starts.
It's the Logitech Quick Cam Lvcomm server, and the Logitech Cam ought to work fine without it running.

Alternatively, go to Start > Run > Msconfig, and uncheck the item on the Startup tab.

[Yinda]

Thanks Tony,

I'll ask my friend to fix.

Regards,

Yinda