Also need help with PSW.Briss.A and Revop.c

Discussion in 'adware, spyware & hijack cleaning' started by Leslie, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. Leslie

    Leslie Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    8
    Location:
    Tampa, Florida
    I found this site after searching the web for an answer to what Revop.C is and how I can get rid of it. I downloaded HijackThis and ran the program. Here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:20:02 PM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\HPBPRO.EXE
    C:\WINDOWS\SYSTEM\HPBOID.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MRUTIL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPNRA.EXE
    F:\CAL\CAL\CALWIN.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.120.55.1:3128
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MAXTELAMR] MRUTIL.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [hpjsiroute192.0.0.192] hpjsira.exe -i 192.0.0.192 -g 10.120.55.16
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
    O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
    O4 - Startup: CaLANdar for LESLIE.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37939.6211921296
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = pemc
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.32.2.136,65.32.1.65

    So what do I need to do now? What do I need to fix?

    Thank you!
     
  2. Leslie

    Leslie Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    8
    Location:
    Tampa, Florida
    Ran Spybot and then Hijackthis

    So I read the note at the top of this forum about running Adaware or Spybot. I downloaded and ran Spybot S&D. It found three files which were deleted.

    Here is my new Hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:02:33 PM, on 4/29/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\HPBPRO.EXE
    C:\WINDOWS\SYSTEM\HPBOID.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MRUTIL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPNRA.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    F:\CAL\CAL\CALWIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.120.55.1:3128
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MAXTELAMR] MRUTIL.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [hpjsiroute192.0.0.192] hpjsira.exe -i 192.0.0.192 -g 10.120.55.16
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
    O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
    O4 - Startup: CaLANdar for LESLIE.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37939.6211921296
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = pemc
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.32.2.136,65.32.1.65

    So may I ask for help in this to make sure I get rid of my Revop.C and PSW.Briss.A problems.

    Thank you and BTW, this is a great forum!

    Leslie
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Leslie,

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL

    Then reboot and delete:
    C:\WINDOWS\SYSTEM\BRIDGE.DLL

    I am not sure what this is:
    O4 - HKLM\..\Run: [MAXTELAMR] MRUTIL.EXE

    Do you know?

    Regards,

    Pieter
     
  4. Leslie

    Leslie Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    8
    Location:
    Tampa, Florida
    I did what you suggested. Here is the new log. And BTW, I have no idea what that other file is. Should I also delete that?

    Logfile of HijackThis v1.97.7
    Scan saved at 9:29:53 AM, on 4/30/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\HPBPRO.EXE
    C:\WINDOWS\SYSTEM\HPBOID.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MRUTIL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPNRA.EXE
    F:\CAL\CAL\CALWIN.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.120.55.1:3128
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MAXTELAMR] MRUTIL.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [hpjsiroute192.0.0.192] hpjsira.exe -i 192.0.0.192 -g 10.120.55.16
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\hpnra.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
    O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
    O4 - Startup: CaLANdar for LESLIE.lnk = ?
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37939.6211921296
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = pemc
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.32.2.136,65.32.1.65
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Leslie,

    Can you find: C:\WINDOWS\MRUTIL.EXE
    Rightclick the file and check under Properties > version tab if that reveals something about its origin.

    Regards,

    Pieter
     
  6. Leslie

    Leslie Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    8
    Location:
    Tampa, Florida
    Okay, Mrutil.EXE is it's name. It says in Version that it is file version 1,0,0,1 and the description is SystemTrayDemo MFC Application. It was modified on 6/22/00 at 12:20pm.

    Also, it has a little telephone icon associated with it.

    Leslie
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That is not much to go on.

    I will PM you my email-address. Could you send me that file (preferably zipped up)
    I would like to have a closer look, although it seems to stem from before your trouble.

    Regards,

    Pieter
     
  8. Leslie

    Leslie Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    8
    Location:
    Tampa, Florida
    Will do and thank you very much for all your help.

    Leslie
     
Thread Status:
Not open for further replies.