TROJ_REVOP.A

Ok, I'm having a hell of a time getting rid of this dumb thing. I already have Spybot and Adaware installed on my computer and I run those daily. I use AVG for my virus protection at the moment. About every hour I get a popup stating that AVG found a virus in C:\winnt\system32\bdl14177.exe. My Hijack This log looks like this:

Logfile of HijackThis v1.97.7
Scan saved at 9:44:40 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\cpqapps\Aclient\Aclient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\BacsTray.exe
C:\WINNT\System32\vaesvdh.exe
C:\WINNT\System32\yxtolfc.exe
C:\WINNT\System32\QuikSearch.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\ryan\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\iel2cde8.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\System32\li01f948.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [nssysconf] C:\WINNT\System32\vaesvdh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\yxtolfc.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\System32\QuikSearch.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: New Text Document.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Sabritec
O17 - HKLM\Software\..\Telephony: DomainName = Sabritec
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Sabritec

I have tried everything I can possibly think of to get rid of this stupid thing but it just keeps coming back. Does anyone have any suggestions? I swear if I ever find out who made this thing I'll make their death slow and very painful.

 

Hi rbender

Welcome to Wilders.

Did u try any independent online scans for infection?

If not, here is a few,

http://www.kaspersky.com/remoteviruschk.html

http://www.wilders.org/free_services.htm



snowbound

 

Hi rbender,

Before you start please move hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. These would now end up on your desktop.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\iel2cde8.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\System32\li01f948.dll

O4 - HKLM\..\Run: [nssysconf] C:\WINNT\System32\vaesvdh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\yxtolfc.exe
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\System32\QuikSearch.exe

Not sure about this one:
O4 - Startup: New Text Document.bat
If that is not something you put there yourself add it to the selection.

Then reboot into safe mode and delete:
C:\WINNT\System32\vaesvdh.exe
C:\WINNT\System32\yxtolfc.exe
C:\WINNT\System32\QuikSearch.exe
C:\WINNT\System32\li01f948.dll
C:\WINNT\System32\iel2cde8.dll
C:\WINNT\System32\icdd7ee6.dll

Regards,

Pieter

 

Nevermind, I got rid of it. Thanks anyway.