revop.C is spoiling my life...

Discussion in 'adware, spyware & hijack cleaning' started by zorralarousse, May 17, 2004.

Thread Status:
Not open for further replies.
  1. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    can't get rid off revop.C!, help!

    AVG pops up constantly saying it finds revopC in Windows/system 32/bdl 114177.exe. Despite several online anti-virus scan, trojan remover, ad-aware and spyboot, revop.C is still coming back...
    I am working on a pentium 4, 256 mb ram, 40gb, xp home edition and sygate personal firewall. got sasser for a week, witch seems to be removed, got som gaobot.18.ar also removed. Only revop.C seems to resist.
    Some unormal behaviour: windows message coming and saying I'm running out of memory, this without having any big program running... and noticing sometimes problems with run32.dll (?)

    here's a hijackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:10:34 PM, on 5/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\COMMON~2\QuickKaz.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\dlcjqtx.exe
    C:\WINDOWS\System32\hpdllhost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\lwmqbpg.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program\Grisoft\AVG6\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [Video Process] sysconf.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx


    __________________________________________

    here's a startup list:

    StartupList report, 5/16/2004, 1:11:50 PM
    StartupList version: 1.52
    Started from : C:\Program Files\anti-virus\hijackthis\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\COMMON~2\QuickKaz.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\dlcjqtx.exe
    C:\WINDOWS\System32\hpdllhost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\lwmqbpg.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program\Grisoft\AVG6\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\yvan\Start-meny\Program\Autostart]
    Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
    Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    DadApp = C:\Program\Dell\AccessDirect\dadapp.exe
    Apoint = C:\Program\Apoint\Apoint.exe
    DVDSentry = C:\WINDOWS\System32\DSentry.exe
    WorksFUD = C:\Program\Microsoft Works\wkfud.exe
    Microsoft Works Portfolio = C:\Program\Microsoft Works\WksSb.exe /AllUsers
    Microsoft Works Update Detection = C:\Program\Microsoft Works\WkDetect.exe
    EM_EXEC = C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    QuickKaz = C:\Program\COMMON~2\QuickKaz.exe
    SunJavaUpdateSched = C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    windows = hkey.exe
    ashMaiSv = C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    smrtdrv = runtime.exe
    IPv6 Helper Driver = csass.exe
    SmcService = C:\Program\Sygate\SPF\smc.exe -startgui
    nssysconf = C:\WINDOWS\System32\dlcjqtx.exe
    kw3eef76 = rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    li01f948 = rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    000hpdllhost = C:\WINDOWS\System32\hpdllhost.exe
    readdb40 = rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    si91e44b = rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    he3e3fc4 = rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    hpsysconf1 = C:\WINDOWS\System32\lwmqbpg.exe
    inetmgr = C:\Program\INTERN~2\inetmgr.exe
    wm41a398 = rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    iel2cde8 = rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    icdd7ee6 = rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    Video Process = sysconf.exe
    AVG_CC = C:\Program\Grisoft\AVG6\avgcc32.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    windows = hkey.exe
    smrtdrv = runtime.exe
    Nt System Kernel = ntsyskrnl.exe
    Video Process = sysconf.exe
    Config Loader =
    Registry Loader =
    MS Config Loader =
    Microsoft Office =
    Microsoft Office Start =
    Windows Update =
    Windows Backup Configuration =
    Microsoft Windows Updater =
    Config Loader2 =
    Office Startup =
    Quicktime Pro 3.0 =
    Svhost Loader =
    MS Security Hotfix =
    Windows Communicator =
    Config Loader for Microsoft Windows =
    System Loaderav =
    ConfiggLoader =
    Configuration Loader =
    Sound Loader =
    Windows Config Manager =
    Windows Loader =
    Service Controller =
    Ms Task =
    Windows Explorer =
    Mixer =
    System Loaderap =
    Norton Live Updater =
    Windows Update Service =
    Update =
    Configuration Loading =
    MS Config Stream =
    Win Init =
    Windows Startup =
    Windows Media Player =
    WindowsFS =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\System32\kw3eef76.dll - {00000000-0000-0000-8835-3EFF76BF2657}
    (no name) - C:\WINDOWS\System32\icdd7ee6.dll - {00000000-0000-0000-BFA1-D7EE6696B865}
    (no name) - C:\WINDOWS\System32\wm41a398.dll - {00000000-0000-41a3-98CF-00000000168B}
    (no name) - C:\WINDOWS\System32\iel2cde8.dll - {00000000-0000-47c5-A90F-2CDE8F7638DB}
    (no name) - C:\WINDOWS\System32\he3e3fc4.dll - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09}
    (no name) - C:\Program\INTERN~2\inetkw.dll - {046D6EA4-15E3-4b27-8010-45BD78A9219E}
    (no name) - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31}
    (no name) - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    Payya Tec Popup Killer - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [AltaVista Toolbar]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    CODEBASE = http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program\AutoCAD 2002\AcDcToday.ocx

    [SassCln Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
    CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

    [NOXLATE-BANR]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
    CODEBASE = file://C:\Program\AutoCAD 2002\InstBanr.ocx

    [InstaFred]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program\AutoCAD 2002\InstFred.ocx

    [Live365Player Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\Play365.dll
    CODEBASE = http://www.live365.com/players/play365.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program\AutoCAD 2002\AcPreview.ocx

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

    --------------------------------------------------
    End of report, 9,957 bytes
    Report generated in 0.090 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Could you help me removing the Revop C and possibly other spoilers?
    Thanks!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi zorralarousse,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll

    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll

    O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe

    O4 - HKLM\..\Run: [windows] hkey.exe

    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe

    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [Video Process] sysconf.exe

    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

    Then reboot and do a online virusscan you will find several listed here: http://www.wilders.org/free_services.htm

    Then download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then click System Testing > Full System scan.

    Let us know the results. I think your AVG is toast, so you may want to replace or reinstall that.

    Regards,

    Pieter
     
  3. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    hello pieter,
    thanks for your advices. I have cleaned the files you've mentioned, ran an online scan (housecall) witch found and deleted 2 viruses: dos_agabot.gen [in windows\system 32\drivers\ETC\hosts] and bat_sasser.A [in windows\system32\cmd.ftp]. Installed upgraded and used TDS-3 witch gave this result:

    Scan Control Dumped @ 00:20:17 17-05-04
    Positive identification: Adware.CommonName.c
    File: c:\program\intern~2\inetmgr.exe

    RegVal Trace: DDoS.RAT.Litmus: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Windows=hkey.exe]

    Positive identification: Riskware.Firedaemon
    File: c:\winnt\system32\config\ens\firedaemon.exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\kth-la\l+a\kursprogram\l+a_schedule_040113.doc.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\kth-la\l+a\papperskorg\l+a_schedule_031211.doc.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\privat\brev etc\avanmälan_namnändring_jo.wps.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\privat\cv\curri_jo.wps.doc

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\documents and settings\yvan\lokala inställningar\temp\1a0.tmp

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\yvan\mina dokument\curriculum\curri02.wps.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\yvan\mina dokument\curriculum\curri_jo.wps.doc

    Positive identification (DLL): Adware.CommonName.c (dll)
    File: c:\program\internet keyword\inetkw.dll

    Positive identification: Adware.CommonName.c
    File: c:\program\internet keyword\inetmgr.exe

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-319.dll

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-335.dll

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-439.dll

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-822.dll

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211819-261.dll

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-253.dll

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-282.dll

    Positive identification (DLL): Adware.CommonName.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-462.dll

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-902.dll

    Suspicious Filename: Dual extensions
    File: c:\program files\sketchup\installsketchup-3[1].0.102.exe

    Positive identification: RAT.HelioS 2.0 (UPX.b)
    File: c:\temp\antivirus040501\vcleaner.exe

    Positive identification (DLL): Adware.BookedSpace.c (dll)
    File: c:\windows\bxxs5.dll

    Positive identification: Adware.SAH
    File: c:\windows\downloaded program files\sahagent_.exe

    Positive identification: TrojanDownloader.Win32.IEK
    File: c:\windows\system32\aud-cnet1.exe

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\windows\system32\he3e3fc4.dll

    Positive identification: Adware.Lz
    File: c:\windows\system32\hpdllhost.exe

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\windows\system32\icdd7ee6.dll

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\windows\system32\iel2cde8.dll

    Positive identification: Adware.CommonName.c Dropper
    File: c:\windows\system32\inetkw.exe

    Positive identification: Adware.CommonName.c Dropper.a
    File: c:\windows\system32\inetkwsys.exe

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\windows\system32\kw3eef76.dll

    Positive identification (DLL): Adware.Lz.e (dll)
    File: c:\windows\system32\li01f948.dll

    Positive identification: TrojanDownloader.Win32.IEK
    File: c:\windows\system32\lwmqbpg.exe

    Positive identification (DLL): Adware.Lz.g (dll)
    File: c:\windows\system32\readdb40.dll

    Positive identification (DLL): Adware.Lz.f (dll)
    File: c:\windows\system32\si91e44b.dll

    Positive identification: TrojanDownloader.Win32.Vivia.d
    File: c:\windows\system32\whistleschk.exe

    Positive identification: Riskware.Firedaemon
    File: c:\winnt\system32\config\ens\firedaemon.exe

    ______________________________________

    here follows an new hijackthis:


    Logfile of HijackThis v1.97.7
    Scan saved at 12:31:43 AM, on 5/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
    C:\Program Files\anti-virus\trojanscanner\TDS3\tds-3.exe
    C:\Program\Delade filer\L&H Shared\PCMM RealSpeak V1\RSSVR10.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\WINDOWS\System32\notepad.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

    _____________________________________________

    I reinstalled AVG and when scanning, its finds now:
    downloader.vidia.B in windows\system32\DLCJQTX.exe(moved to vault)

    ______________________________________________

    as far as I understand, it seems that revop.C is gone; do you think I still have Sasser?; I have this virus downloader.vidia.B .........

    What do you advice me to do?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Have TDS remove all the positive identifications with one exception if you instelled that yourself: Firedaemon
    The program itself is harmless buit it can be abused by others.

    Then Run HijackThis again and post a new HijackThis log.

    Regards,

    Pieter
     
  5. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    TDS has removed all positive identifications, all except inemgr.exe witch is runnig and witch can't be stopped, inclusive when I try via the task manager.
    Here's a new hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:00:16 PM, on 5/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi zorralarousse,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)

    O4 - HKLM\..\Run: [windows] hkey.exe

    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe

    Then reboot into safe mode and delete:
    C:\Program\INTERNET KEYWORD <= entire folder

    Regards,

    Pieter
     
  7. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    hello pieter,
    I followed your advices, removed the items and the folder, everything seems to work much better now!

    revop.c is gone I think, and I thank you for this!

    I run avg witch didn't find anything, nether Housecall, but panda fond 5 viruses (!) and fixed 3 of them. one virus [Bck/Iroffer.E] is uncleanable in 2 different files witch I can't see in the explorer, do you think I should bother about it?
    Here's the log of panda:


    Virus:Exploit/iFrame Disinfected C:\Documents and Settings\yvan\Lokala inställningar\Temporary Internet Files\Content.IE5\G5CQPN6C\wbk13.tmp
    Virus:Bck/Iroffer.E No disinfected C:\Program Files\anti-virus\trojanscanner\TDS3\xDynamic\TDS.Unpk\xkit.exe[NTFS32.exe]
    Virus:Bck/Iroffer.E No disinfected C:\WINDOWS\Temp\xkit.exe[NTFS32.exe]
    Virus:W32/Bagle.pwdzip Disinfected Lokala mappar\Inkorgen\Warning about your e-mail account.\Info.zip
    Virus:W32/Netsky.P.worm Disinfected Lokala mappar\Inkorgen\Stolen document\document342.exe __________________________________

    here's a new hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:54:27 PM, on 5/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Apoint\Apntex.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\AVGCC32.EXE
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

    __________________________________________

    Tell me if you think I still can improve things,

    Thank you very much for all your help,

    zorra [ :)]
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
  9. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    Once again, thank you for all Pieter...
    ... and happy birthday[MOVE]!!!!!![/MOVE]


    Zorralarousse
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.