PLEASE HELP - Hijack this log - comp # 2

Re: PLEASE HELP - Hijack this log

Thank you sooo much for your help. Unfortunately - I can't get access to that computer right now - the office is locked. I can't get to it until Tuesday next week.

BUT..... computer # 2 is really having problems too. I am on this one and maybe you can help with it?
This computer has 17 infected files with TOMADI and REVOP Trojan viruses. It also keeps getting Exporer pop ups I can't seem to turn off. It is cabled into a broadband, but keeps kicking off of AOL. It is operating with Windows 98. So, aside from throwing it away, what can I do to fix this one.

Logfile of HijackThis v1.97.7
Scan saved at 4:35:20 PM, on 4/15/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\NICODEU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NICODEU] C:\WINDOWS\SYSTEM\NICODEU.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

 

Hi becklett,

Welcome to Wilders.

Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)

O4 - HKLM\..\Run: [NICODEU] C:\WINDOWS\SYSTEM\NICODEU.exe

There also may be hidden files. See HERE for how to show hidden files.

Then reboot into safe mode and delete:

C:\WINDOWS\BrowserHelper.dll
C:\PROGRAM FILES\DASHBAR\ <-- entire folder
C:\WINDOWS\SYSTEM\NICODEU.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

 

I think it looks a lot better - see log below. But I still have the Troj Revop.c Virus. I tried to clean or delete it but I get a response "unable in use". The only things running in Task Mgr is aol and explorer right now. So I don't know what to do... any suggestions. Win 98.

What do you think of the log now?? Thanks so much for your help..

Logfile of HijackThis v1.97.7
Scan saved at 4:23:49 PM, on 4/16/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

 

Hi becklett,

What is the exact message you are getting? Is it an AV or AT finding it and which one?

Regards,
Kent

 

Kent - thanks for your help. The computer is at the office and I can e you Monday morning with the exact response. I was using Trend Micro Housecall. I had run Spybot & adaware 6 - then Trend Micro Housecall online. The response was that Housecall was unable to clean and unable to delete TROJREVOP.A from C:\\windows\system\propl.exe.

Plus.. part of the problem I have with that computer is that I cannot get the 'updates' for spybot & ad aware - it computer stops receiving the info in the middle or start of the download. Could the virus be doing this?

I truely appreciate your help here.

Becky

 

Re: PLEASE HELP - Hijack this log - comp # 2 - OK NOW

Ok ok... I ran ad aware 6, spybot (although it would freeze when I tried to download updates), Panda activescan (which cleaned the virus.. I hope) and then trend micro housecall again - 0 virus present. I think it is all clean now. I hope.

Here is my log - thank you so so much for your help on this one.

Becky

Logfile of HijackThis v1.97.7
Scan saved at 4:43:56 PM, on 4/19/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

 

Hi becklett,

Your log is clean. Hopefully you are not having any more problems.

Regards,
Kent

 

Thanks Kent.... we will know today when the computers 'normal user' comes back to work. Before I left last night I defraged and now with all of the other stuff gone (thanks you you), the computer is really quick. The true test will be today.
Thank you

Becky

 

Hi Becky,

I am looking forward to hear that all is fixed.

Regards,
Kent

 

Kent - Not one call from him re: any computer problems... other than he keeps getting kicked off his online access (but I think that is a problem with the wireless internet provider and not the computer). I think we are clear !!

Thank you so much for all of your help. You are the best !!

 

Hi Becky,

Glad to hear all seems OK. Thanks for the kind words.

Regards,
Kent

 

Hi soulburn,

I started a new thread for you located HERE. It is a lot easier if we keep just one computer and its problem in a single thread, a lot less confusing.

Regards,
Kent