|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
May 3rd, 2004, 04:25 PM
|
|||
|
|||
Re: Provolone - Revop.c Trojan
I too have a challenge with the trojan horse Revop.C.
I have run CWSchredder, AVG and the preliminary scan for the trial version of Norton Anti Virus. The AVG has "quarantined" this virus a half dozen times and it still comes back. Can you help me please?? Thanks! The Hijack log looks like this: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\windows\system32\mnpol.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\program files\primesoft\safesearch\safesearch.exe C:\WINDOWS\System32\desk98.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe C:\QBOOKSW\Components\QBAgent\QBDAgent.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\WINDOWS\System32\mrtMngr.EXE C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\hpoipm07.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Download\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usccb.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - **¦C:\WINDOWS\twaintec.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - **¦C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing) O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - **¦C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll (file missing) O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - **¦C:\Program Files\NewDotNet\newdotnet6_22.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - **¦c:\program files\google\googletoolbar1.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect O4 - HKLM\..\Run: [MNPol] c:\windows\system32\mnpol.exe /nocomm O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\QBDAgent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://204.177.92.201/nslite/nslite.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 |
|
#2
May 3rd, 2004, 09:40 PM
|
||||
|
||||
|
Re: guinness1327 - Revop.c Trojan
Hi guinness1327, and welcome to Wilders.
I have split off your post from the other member's thread, and into a new thread of your own. Please keep all replies here in your own thread until your computer is clean. Thank you. Regards, snap
__________________
@-`-,-- |
|
#3
May 4th, 2004, 05:08 AM
|
||||
|
||||
|
Re: Provolone - Revop.c Trojan
Hi guinness1327,
First try to remove NewDotNet aka New.Net (Domains) in Add/Remove Software. Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - **¦C:\WINDOWS\twaintec.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - **¦C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing) O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - **¦C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll (file missing) O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - **¦C:\Program Files\NewDotNet\newdotnet6_22.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - **¦c:\program files\google\googletoolbar1.dll (file missing) O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /noconnect O4 - HKLM\..\Run: [MNPol] c:\windows\system32\mnpol.exe /nocomm O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://204.177.92.201/nslite/nslite.cab O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab Then reboot into safe mode and delete: c:\program files\primesoft <= entire folder C:\WINDOWS\alchem.exe c:\windows\system32\msdmxm.exe /noconnect c:\windows\system32\mnpol.exe Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#4
May 4th, 2004, 09:41 AM
|
|||
|
|||
|
Re: guinness1327 - Revop.c Trojan
Thank you Pieter for your suggestions.
I was able to remove New.net in Add/Remove software In HijackThis, I performed the fix on the items identified except the 02 - BHO ...\NewDotNet\.... item was not in the list likely because I had just removed the program. I rebooted into Safe Mode and deleted the first and last entry identified. There was no "C:\WINDOWS\alchem.exe" to delete [there was "alchem.ini" which I left alone]. There was no "c:\windows\system32\msdmxm.exe/noconnect" to delete. When I rebooted in NORMAL everything seemed okay but after going into Windows Explorer for some work, the the AVG warning about Revop.c popped up again. I re-did HijackThis and the new listing is as follows: Logfile of HijackThis v1.97.7 Scan saved at 8:29:00 AM, on 5/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\desk98.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe C:\QBOOKSW\Components\QBAgent\QBDAgent.exe C:\WINDOWS\System32\mrtMngr.EXE C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\hpoipm07.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Download\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usccb.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\QBDAgent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 THANK YOU for your help in trying to solve this challenge. If you could suggest anything more, I would appreciate it. You folks provide a valuable service to us pedestrian users of computers and the internet. Pat |
|
#5
May 4th, 2004, 10:01 AM
|
||||
|
||||
|
Re: guinness1327 - Revop.c Trojan
Hi Guinness1327,[t
Quote:
The address is pieterATwilderssecurity.org (replace AT with @) Then retry this one. Make sure all other Windows except HijackThis are closed when you hit the Fix checked button. O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll Then copy the part in bold below into notepad and save the file as pupchaser.reg Doubkleclcik that file and confirm you want to merge it with the registry. That should take away some of the keys that it is using to restart. REGEDIT4 [-HKEY_LOCAL_MACHINE\Software\pup] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\comms] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\pup] Then reboot. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#6
May 4th, 2004, 10:43 AM
|
|||
|
|||
|
Re: guinness1327 - Revop.c Trojan
Hi Pieter,
I sent you an e-mail with the Notebook version of the alchem.ini . I did all the other things you suggested but the darn warning still comes up and "C:\Documents and Settings\patrick russell\Local Settings\Temp" still contains the file "LC505954.EXE" which is the file that activates the warning. The most recent iteration of HijackThis reads as follows: Logfile of HijackThis v1.97.7 Scan saved at 9:42:08 AM, on 5/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\desk98.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe C:\QBOOKSW\Components\QBAgent\QBDAgent.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\WINDOWS\System32\mrtMngr.EXE C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Download\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usccb.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\QBDAgent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312 O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 O17 - HKLM\System\CS1\Services\Tcpip\..\{29335CE3-5AE4-4B99-B08A-BD5C453A6A18}: NameServer = 209.153.128.4,169.207.1.3 Thanks again! Pat |
|
#7
May 4th, 2004, 10:49 AM
|
||||
|
||||
|
Re: guinness1327 - Revop.c Trojan
Ah, That is where it is hiding.
Reboot into safe mode and delete the content of C:\Documents and Settings\patrick russell\Local Settings\Temp <= DO NOT DELETE the folder itself but everything in it The Local Settings folder is hidden by default. To "unhide" hidden files and folders: Launch My Computer from the Desktop Icon. Select View, Details. Select the Folders button. Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then Like Current Folder (located near the top of the Folder Options box). Then select OK. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
May 4th, 2004, 10:59 AM
|
|||
|
|||
|
Re: guinness1327 - Revop.c Trojan
You are a genius!!
It looks good......thank you again for your valuable service!! Peace! Pat |
|
#9
May 4th, 2004, 11:02 AM
|
||||
|
||||
|
Re: guinness1327 - Revop.c Trojan
My pleasure.
 Please read: http://www.wilderssecurity.com/showthread.php?t=27971 to minimize the risk of getting infected again. Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
