PLEASE HELP - Hijack this log - comp # 2

[becklett]

Thank you sooo much for your help. Unfortunately - I can't get access to that computer right now - the office is locked. I can't get to it until Tuesday next week.

BUT..... computer # 2 is really having problems too. I am on this one and maybe you can help with it?
This computer has 17 infected files with TOMADI and REVOP Trojan viruses. It also keeps getting Exporer pop ups I can't seem to turn off. It is cabled into a broadband, but keeps kicking off of AOL. It is operating with Windows 98. So, aside from throwing it away, what can I do to fix this one.

Logfile of HijackThis v1.97.7
Scan saved at 4:35:20 PM, on 4/15/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\NICODEU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NICODEU] C:\WINDOWS\SYSTEM\NICODEU.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

[puff-m-d]

Hi becklett,

Welcome to Wilders.

Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)

O4 - HKLM\..\Run: [NICODEU] C:\WINDOWS\SYSTEM\NICODEU.exe

There also may be hidden files. See HERE for how to show hidden files.

Then reboot into safe mode and delete:

C:\WINDOWS\BrowserHelper.dll
C:\PROGRAM FILES\DASHBAR\ <-- entire folder
C:\WINDOWS\SYSTEM\NICODEU.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

[becklett]

I think it looks a lot better - see log below. But I still have the Troj Revop.c Virus. I tried to clean or delete it but I get a response "unable in use". The only things running in Task Mgr is aol and explorer right now. So I don't know what to do... any suggestions. Win 98.

What do you think of the log now?? Thanks so much for your help..

Logfile of HijackThis v1.97.7
Scan saved at 4:23:49 PM, on 4/16/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

[puff-m-d]

Hi becklett,

Quote:

Originally Posted by becklett

But I still have the Troj Revop.c Virus. I tried to clean or delete it but I get a response "unable in use".

What is the exact message you are getting? Is it an AV or AT finding it and which one?

Regards,
Kent

[becklett]

Kent - thanks for your help. The computer is at the office and I can e you Monday morning with the exact response. I was using Trend Micro Housecall. I had run Spybot & adaware 6 - then Trend Micro Housecall online. The response was that Housecall was unable to clean and unable to delete TROJREVOP.A from C:\\windows\system\propl.exe.

Plus.. part of the problem I have with that computer is that I cannot get the 'updates' for spybot & ad aware - it computer stops receiving the info in the middle or start of the download. Could the virus be doing this?

I truely appreciate your help here.

Becky

[becklett]

Ok ok... I ran ad aware 6, spybot (although it would freeze when I tried to download updates), Panda activescan (which cleaned the virus.. I hope) and then trend micro housecall again - 0 virus present. I think it is all clean now. I hope.

Here is my log - thank you so so much for your help on this one.

Becky

Logfile of HijackThis v1.97.7
Scan saved at 4:43:56 PM, on 4/19/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0A\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://dellnet.alltheweb.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dellnet.alltheweb.com/
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = vectorlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.11.201,151.164.1.8

[puff-m-d]

Hi becklett,

Your log is clean. Hopefully you are not having any more problems.

Regards,
Kent

[becklett]

Thanks Kent.... we will know today when the computers 'normal user' comes back to work. Before I left last night I defraged and now with all of the other stuff gone (thanks you you), the computer is really quick. The true test will be today.
Thank you

Becky

[puff-m-d]

Hi Becky,

I am looking forward to hear that all is fixed.

Regards,
Kent

[becklett]

Kent - Not one call from him re: any computer problems... other than he keeps getting kicked off his online access (but I think that is a problem with the wireless internet provider and not the computer). I think we are clear !!

Thank you so much for all of your help. You are the best !!

[puff-m-d]

Hi Becky,

Glad to hear all seems OK. Thanks for the kind words.

Regards,
Kent

[puff-m-d]

Hi soulburn,

I started a new thread for you located HERE. It is a lot easier if we keep just one computer and its problem in a single thread, a lot less confusing.

Regards,
Kent