clicking mouse

Discussion in 'malware problems & news' started by angryof, Jul 12, 2003.

Thread Status:
Not open for further replies.
  1. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    Hi,

    Sadly I have been visiting some untoward sites and have picked up something udetectable by avg, wormguard, symantec online, adaware and tds.

    It usually starts when I am online but sometimes initiates offline.

    It involves the mouse left clicking rapidly. It will occur for about 30 secs and then go away for some time. It will click whichever button is selected on the desktop. eg if I have selected to open winamp on the taskbar/ destop, I will get about twenty instances of that software opening

    I dont really know what is going on.

    I also notice that pegasis my mail client will have a momentary lag in performance when writing a message. It seems to me to be like a sreen shot being taken.


    Love to find out what this mouse clicking is before I try a reformat again.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi angryof,

    I do have a suspicion. To confirm this could you post your HijackThis log
    Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  3. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    Thanks Pieter,

    Here is the log. Do you want start up log too?

    Logfile of HijackThis v1.95.0
    Scan saved at 1:09:13 PM, on 7/14/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\SECURITY\HI JACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au
    F1 - win.ini: load=C:\MEDIAPAC\vi_grm.exe
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [ZRR] D:\SETUP.EXE
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: vpsched.lnk = C:\Program Files\Matrox Video Tools\vpsched.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://free.aol.com
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi angryof,

    I don't need the StartUpList, but I do need the complete HT log.
    From what I can see now.

    O4 - HKLM\..\Run: [ZRR] D:\SETUP.EXE is unknown to me.

    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    is not needed.

    O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
    not needed either

    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    ditto

    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    can be disabled

    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    No use for it starting up. Doesn't provide resident protection.

    O4 - Startup: vpsched.lnk = C:\Program Files\Matrox Video Tools\vpsched.exe
    Not sure if it really needs to be starting up

    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Champion among resource hogs

    O15 - Trusted Zone: http://free.aol.com
    Security risk

    Try and see if disabling at least a few of the above helps and look up D:\SETUP.EXE, rightclick it and see if the properties reveal anything about it's purpose.

    Regards,

    Pieter
     
  5. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    Thanks Pieter,

    I will try all that I really appreciate it.

    Angry of
     
  6. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    Pieter,

    I am also worried that win32.dll keeps trying to get passed sygate.

    Sygate is the only firewall picking it up. The message says win 32 core aplication is blocked.

    I have blokced it permanently but it keeps asking. Is this an indication of something wrong?
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Does the message correspond with the one mentioned here: http://www.sygate.com/support/technotes/ssd_sms/SPFFAQ011.htm ?

    Several virii are known that use win32.dll as a filename, so it might not be a bad idea to do an online scan.
    You can find several here: http://www.wilders.org/free_services.htm

    It might help some of our virus-experts if you could search win32.dll on your computer and let us know where it is found and what the properties are.

    I just noticed that there is still a component of Outpost active as well.
    This could lead to problems.

    Regards,

    Pieter
     
  8. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    Hi Pieter,

    Here is something that just popped up on wormguard after I did an online trojan scan.

    Prbably harmless but here are the details.FILE: c:\temp\unregister.bat
    SIZE: 520 bytes
    -------------------------------FILE BEGINS-------------------------------
    Echo off
    regsvr32 /u /s "C:\TEMP\TDECNTRL\TDECntrl.dll"
    :DELETE1
    del "C:\TEMP\TDECNTRL\TDECntrl.dll"
    if exist "C:\TEMP\TDECNTRL\TDECntrl.dll" goto DELETE1
    regsvr32 /u /s "C:\TEMP\TDECNTRL\TDE.dll"
    :DELETE2
    del "C:\TEMP\TDECNTRL\TDE.dll"
    if exist "C:\TEMP\TDECNTRL\TDE.dll" goto DELETE2
    del "C:\TEMP\TDECNTRL\md5full.tde"
    del "C:\TEMP\TDECNTRL\psapi.dll"
    del "C:\TEMP\TDECNTRL\trojanscanres.html"
    del "C:\WINDOWS\Downloaded Program Files\TDECntrl.INF"
    rmdir "C:\TEMP\TDECNTRL"
    del "C:\TEMP\unregister.bat"

    I did a search for Win32.dll and it didn't show up anywhere on my computer.

    but I did get these:

    Win32s16.dll in C:\WINDOWS\SYSTEM
    and

    Win32s16.dll C:\WINDOWS\SYSBCKUP

    the win32 asking permission from sygate could be as you described but I dont know.

    I have been online for over one hour now and the clicking mouse hasn't occurred but I will watch over the next few days and let you know.

    also allowed sygate to let win 32 through for ICMP

    I wish that these guys would apply themselves to hacking into the cancer cell or similar, I think they could use their genius in a better way.


    thanks for your expertise once again

    Angry of
     
  9. angry of

    angry of Guest

    Pieter,

    Just waiting for your answer re the last question. My computer has broken down so borrowing one.

    I am hoping that my last statement isnt so silly that you just ignored it.

    cheers,

    angry of
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Angryof,
    seeing Pieter not online at the moment, googled for that TDECNTRL, only place where i see it mentioned is =here in somebody else's hijackthis log where it was not removed so it might be ok.
    Only thing is i did online scans in various places and never had that WG warning so...... was this from housecall or another online scanner?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Not at all. I was just waiting for answers to other questions I asked.
    The unregister.bat is from www.trojanscan.com
    It cleans out the files that are put on your system in order to perform the scan.

    Regards,

    Pieter
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    As an additional tool that might help:
    http://www.turboware.com/WhatsHappening.htm
    It gives you the opportunity to see what program is using a certain dll and vice versa.

    HTH,

    Pieter
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I wondered if you also went to housecall. Since they changed something on their site late june i can't get update nor onlinescans anymore there, was not able to get any proper support to solve the ever returning error 28 so i don't recommend going there anymore till that is solved properly for all users to avoid further frustrations and spoiling time; the quality of the scans i can't say nothing about since it is unavailable for many users.
    This is what i mean relating to your possible scan results and if you went there to go for another place for a second opinion.
    Since you seem to have used another place, which results Pieter confirmed about removing the temp files after scanning sounds ok.

    I'm sure your computer's situation is not hopeless so take the steps and answer ever question Pieter asks please, which is a learning experience for others too!
     
  14. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    HI,


    My old computer is no good anymore the connection for the keyboard has broken off so I am using a small computer which is the only one allowed onto the internet from now on.

    This makes things a little bit more complicated. I have installed the old hard disc and am getting the clicking mouse problem again.

    will continue until we kill this thing.


    I have just had this message from wormguard.

    Risk Assessment: Medium

    *> Suspicious strings detected.
    WormGuard has found a few strings in this file that are suspicious.

    *> Contains suspicious string: virus
    LINE=......
    not giving anymore details.

    Her is the hijack this log for the new computer. Hoping we can get to the bottom of this.

    Here is a site which I believe is related to my problem.

    www.drbizzaro.com.

    If I visit their chat rooms main, they are able to change my home page broser settings to their site.


    They have something on my computer at least. It could be one of the other sites linked to them who are doing this I believe.

    I spose if I wasn't visiting with this attitude :p

    I would not now have this response :'(

    thanks

    Angry of
     
  15. angryof

    angryof Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    7
    I forgot to past the hijack this log.

    Here it is.

    Logfile of HijackThis v1.95.0
    Scan saved at 2:58:50 PM, on 7/24/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WORMGUARD\WGUARD.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\SECURITY\HI JACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.netconnect.com.au/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - Startup: Microsoft Office.lnk = D:\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
     
  16. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Hi,

    I noticed you mention that the Win32 thing continued to try to call out. How did you search to find it? The reason I ask is if you searched by specifying win32*.dll you could have missed it. If that's what you did, try searching for Win32dll (no dot in there) and then just Win32
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  18. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi,

    One friend of mine has the same or similar problem. From time to time, when viewing a window, things move very fast as if the mouse was clicked. Sometimes the filelist is moving so fast that he is unable to click on one file.

    He has eSafe and nearly no other tool.

    As an urgent action, I first asked him to scan with http://www.spywareinfoforum.com/xscan.php. However, I wonder whether the scan was efficient. Nothing was found by xscan but, later, I installed Spybot S&D for him and some 60-70 items were found.

    Later, SpywareBlaster was installed, then Ad-aware + ad-watch. A few items were found by Ad-aware.

    That's nearly all I can do. The mouse looks like more stable now but I still have seen ramdom movements after all the cleaning operations.

    Here is his HijackThis.log. I checked nzdd and nwiz but they seem legitimate. Backweb may be adware but should not be really harmful. Wanadoo is the ISP.

    Logfile of HijackThis v1.94.0
    Scan saved at 22:58:14, on 25/07/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Wanadoo, Internet avec France Télécom
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O1 - Hosts: 216.239.37.101 www.kazaagold.com
    O1 - Hosts: 216.239.37.101 www.k-lite.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2F4F8CC3-FF89-11D1-9F63-0020182D7E20} - C:\PROGRA~1\eSafe\Protect\espie.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\taskbaricon.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [eSafe Protect] "C:\Program Files\eSafe\Protect\ESPWatch.exe" /delay=5
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Wanadoo (HKCU)
    O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
    O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
    O10 - Unknown file in Winsock LSP: c:\progra~1\esafe\protect\espsock2.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/dribnif/fr/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/fr/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37709.5265393518
    O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} - http://dialup.carpediem.fr/CABS/1,0,3,8/fr/AccesMembre.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab


    He uses a wireless mouse. One moment I thought that maybe his mouse got some parasites, but I have seen similar posts in a French forum.

    What is your opinion please ? Thanks in advance.

    Regards,

    Yinda
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Yinda,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    Then reboot.

    Another one that could be causing it is:
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    but since that is a (sometimes) needed mousedriver, it would be better to disable that with a Startupmanager or in msconfig (easier to restore).

    If that does not do the trick, please have your friend download the latest version of HijackThis and post another log.

    Regards,

    Pieter
     
  20. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Hi Pieter,

    What is "Fix checked" please ? If this means removal, do you mean that the Logitech mouse driver LVCOMS.EXE should not be there ?

    I have just downloaded HijackThis 1.95 and sent it to my friend.

    Thanks,

    Yinda
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It means that the application will no longer be launched automatically as Windows starts.
    It's the Logitech Quick Cam Lvcomm server, and the Logitech Cam ought to work fine without it running.

    Alternatively, go to Start > Run > Msconfig, and uncheck the item on the Startup tab.
     
  22. Yinda

    Yinda Registered Member

    Joined:
    Nov 17, 2002
    Posts:
    78
    Thanks Tony,

    I'll ask my friend to fix.

    Regards,

    Yinda
     
Loading...
Thread Status:
Not open for further replies.