revop.C is spoiling my life...

Discussion in 'adware, spyware & hijack cleaning' started by zorralarousse, May 17, 2004.

Thread Status:
Not open for further replies.
  1. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    can't get rid off revop.C!, help!

    AVG pops up constantly saying it finds revopC in Windows/system 32/bdl 114177.exe. Despite several online anti-virus scan, trojan remover, ad-aware and spyboot, revop.C is still coming back...
    I am working on a pentium 4, 256 mb ram, 40gb, xp home edition and sygate personal firewall. got sasser for a week, witch seems to be removed, got som gaobot.18.ar also removed. Only revop.C seems to resist.
    Some unormal behaviour: windows message coming and saying I'm running out of memory, this without having any big program running... and noticing sometimes problems with run32.dll (?)

    here's a hijackthis:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:10:34 PM, on 5/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\COMMON~2\QuickKaz.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\dlcjqtx.exe
    C:\WINDOWS\System32\hpdllhost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\lwmqbpg.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program\Grisoft\AVG6\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [Video Process] sysconf.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx


    __________________________________________

    here's a startup list:

    StartupList report, 5/16/2004, 1:11:50 PM
    StartupList version: 1.52
    Started from : C:\Program Files\anti-virus\hijackthis\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\COMMON~2\QuickKaz.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\dlcjqtx.exe
    C:\WINDOWS\System32\hpdllhost.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\lwmqbpg.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program\Grisoft\AVG6\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\rundll32.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\yvan\Start-meny\Program\Autostart]
    Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
    Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    DadApp = C:\Program\Dell\AccessDirect\dadapp.exe
    Apoint = C:\Program\Apoint\Apoint.exe
    DVDSentry = C:\WINDOWS\System32\DSentry.exe
    WorksFUD = C:\Program\Microsoft Works\wkfud.exe
    Microsoft Works Portfolio = C:\Program\Microsoft Works\WksSb.exe /AllUsers
    Microsoft Works Update Detection = C:\Program\Microsoft Works\WkDetect.exe
    EM_EXEC = C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    QuickKaz = C:\Program\COMMON~2\QuickKaz.exe
    SunJavaUpdateSched = C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    windows = hkey.exe
    ashMaiSv = C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    smrtdrv = runtime.exe
    IPv6 Helper Driver = csass.exe
    SmcService = C:\Program\Sygate\SPF\smc.exe -startgui
    nssysconf = C:\WINDOWS\System32\dlcjqtx.exe
    kw3eef76 = rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    li01f948 = rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    000hpdllhost = C:\WINDOWS\System32\hpdllhost.exe
    readdb40 = rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    si91e44b = rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    he3e3fc4 = rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    hpsysconf1 = C:\WINDOWS\System32\lwmqbpg.exe
    inetmgr = C:\Program\INTERN~2\inetmgr.exe
    wm41a398 = rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    iel2cde8 = rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    icdd7ee6 = rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    Video Process = sysconf.exe
    AVG_CC = C:\Program\Grisoft\AVG6\avgcc32.exe /startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    windows = hkey.exe
    smrtdrv = runtime.exe
    Nt System Kernel = ntsyskrnl.exe
    Video Process = sysconf.exe
    Config Loader =
    Registry Loader =
    MS Config Loader =
    Microsoft Office =
    Microsoft Office Start =
    Windows Update =
    Windows Backup Configuration =
    Microsoft Windows Updater =
    Config Loader2 =
    Office Startup =
    Quicktime Pro 3.0 =
    Svhost Loader =
    MS Security Hotfix =
    Windows Communicator =
    Config Loader for Microsoft Windows =
    System Loaderav =
    ConfiggLoader =
    Configuration Loader =
    Sound Loader =
    Windows Config Manager =
    Windows Loader =
    Service Controller =
    Ms Task =
    Windows Explorer =
    Mixer =
    System Loaderap =
    Norton Live Updater =
    Windows Update Service =
    Update =
    Configuration Loading =
    MS Config Stream =
    Win Init =
    Windows Startup =
    Windows Media Player =
    WindowsFS =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\System32\kw3eef76.dll - {00000000-0000-0000-8835-3EFF76BF2657}
    (no name) - C:\WINDOWS\System32\icdd7ee6.dll - {00000000-0000-0000-BFA1-D7EE6696B865}
    (no name) - C:\WINDOWS\System32\wm41a398.dll - {00000000-0000-41a3-98CF-00000000168B}
    (no name) - C:\WINDOWS\System32\iel2cde8.dll - {00000000-0000-47c5-A90F-2CDE8F7638DB}
    (no name) - C:\WINDOWS\System32\he3e3fc4.dll - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09}
    (no name) - C:\Program\INTERN~2\inetkw.dll - {046D6EA4-15E3-4b27-8010-45BD78A9219E}
    (no name) - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31}
    (no name) - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    Payya Tec Popup Killer - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [AltaVista Toolbar]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    CODEBASE = http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program\AutoCAD 2002\AcDcToday.ocx

    [SassCln Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
    CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

    [NOXLATE-BANR]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
    CODEBASE = file://C:\Program\AutoCAD 2002\InstBanr.ocx

    [InstaFred]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program\AutoCAD 2002\InstFred.ocx

    [Live365Player Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\Play365.dll
    CODEBASE = http://www.live365.com/players/play365.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program\AutoCAD 2002\AcPreview.ocx

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

    --------------------------------------------------
    End of report, 9,957 bytes
    Report generated in 0.090 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Could you help me removing the Revop C and possibly other spoilers?
    Thanks!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi zorralarousse,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
    O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll

    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
    O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
    O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll

    O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe

    O4 - HKLM\..\Run: [windows] hkey.exe

    O4 - HKLM\..\Run: [smrtdrv] runtime.exe
    O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe

    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
    O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [Video Process] sysconf.exe

    O4 - HKLM\..\RunServices: [windows] hkey.exe
    O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
    O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
    O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

    Then reboot and do a online virusscan you will find several listed here: http://www.wilders.org/free_services.htm

    Then download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then click System Testing > Full System scan.

    Let us know the results. I think your AVG is toast, so you may want to replace or reinstall that.

    Regards,

    Pieter
     
  3. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    hello pieter,
    thanks for your advices. I have cleaned the files you've mentioned, ran an online scan (housecall) witch found and deleted 2 viruses: dos_agabot.gen [in windows\system 32\drivers\ETC\hosts] and bat_sasser.A [in windows\system32\cmd.ftp]. Installed upgraded and used TDS-3 witch gave this result:

    Scan Control Dumped @ 00:20:17 17-05-04
    Positive identification: Adware.CommonName.c
    File: c:\program\intern~2\inetmgr.exe

    RegVal Trace: DDoS.RAT.Litmus: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Windows=hkey.exe]

    Positive identification: Riskware.Firedaemon
    File: c:\winnt\system32\config\ens\firedaemon.exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\kth-la\l+a\kursprogram\l+a_schedule_040113.doc.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\kth-la\l+a\papperskorg\l+a_schedule_031211.doc.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\privat\brev etc\avanmälan_namnändring_jo.wps.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\johanna\johannas\privat\cv\curri_jo.wps.doc

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\documents and settings\yvan\lokala inställningar\temp\1a0.tmp

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\yvan\mina dokument\curriculum\curri02.wps.doc

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\yvan\mina dokument\curriculum\curri_jo.wps.doc

    Positive identification (DLL): Adware.CommonName.c (dll)
    File: c:\program\internet keyword\inetkw.dll

    Positive identification: Adware.CommonName.c
    File: c:\program\internet keyword\inetmgr.exe

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-319.dll

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-335.dll

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-439.dll

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-822.dll

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211819-261.dll

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-253.dll

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-282.dll

    Positive identification (DLL): Adware.CommonName.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-462.dll

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-902.dll

    Suspicious Filename: Dual extensions
    File: c:\program files\sketchup\installsketchup-3[1].0.102.exe

    Positive identification: RAT.HelioS 2.0 (UPX.b)
    File: c:\temp\antivirus040501\vcleaner.exe

    Positive identification (DLL): Adware.BookedSpace.c (dll)
    File: c:\windows\bxxs5.dll

    Positive identification: Adware.SAH
    File: c:\windows\downloaded program files\sahagent_.exe

    Positive identification: TrojanDownloader.Win32.IEK
    File: c:\windows\system32\aud-cnet1.exe

    Positive identification (DLL): Adware.Lz.a (dll)
    File: c:\windows\system32\he3e3fc4.dll

    Positive identification: Adware.Lz
    File: c:\windows\system32\hpdllhost.exe

    Positive identification (DLL): Adware.Lz.c (dll)
    File: c:\windows\system32\icdd7ee6.dll

    Positive identification (DLL): Adware.Lz.b (dll)
    File: c:\windows\system32\iel2cde8.dll

    Positive identification: Adware.CommonName.c Dropper
    File: c:\windows\system32\inetkw.exe

    Positive identification: Adware.CommonName.c Dropper.a
    File: c:\windows\system32\inetkwsys.exe

    Positive identification (DLL): Adware.Lz.d (dll)
    File: c:\windows\system32\kw3eef76.dll

    Positive identification (DLL): Adware.Lz.e (dll)
    File: c:\windows\system32\li01f948.dll

    Positive identification: TrojanDownloader.Win32.IEK
    File: c:\windows\system32\lwmqbpg.exe

    Positive identification (DLL): Adware.Lz.g (dll)
    File: c:\windows\system32\readdb40.dll

    Positive identification (DLL): Adware.Lz.f (dll)
    File: c:\windows\system32\si91e44b.dll

    Positive identification: TrojanDownloader.Win32.Vivia.d
    File: c:\windows\system32\whistleschk.exe

    Positive identification: Riskware.Firedaemon
    File: c:\winnt\system32\config\ens\firedaemon.exe

    ______________________________________

    here follows an new hijackthis:


    Logfile of HijackThis v1.97.7
    Scan saved at 12:31:43 AM, on 5/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
    C:\Program Files\anti-virus\trojanscanner\TDS3\tds-3.exe
    C:\Program\Delade filer\L&H Shared\PCMM RealSpeak V1\RSSVR10.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\WINDOWS\System32\notepad.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

    _____________________________________________

    I reinstalled AVG and when scanning, its finds now:
    downloader.vidia.B in windows\system32\DLCJQTX.exe(moved to vault)

    ______________________________________________

    as far as I understand, it seems that revop.C is gone; do you think I still have Sasser?; I have this virus downloader.vidia.B .........

    What do you advice me to do?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Have TDS remove all the positive identifications with one exception if you instelled that yourself: Firedaemon
    The program itself is harmless buit it can be abused by others.

    Then Run HijackThis again and post a new HijackThis log.

    Regards,

    Pieter
     
  5. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    TDS has removed all positive identifications, all except inemgr.exe witch is runnig and witch can't be stopped, inclusive when I try via the task manager.
    Here's a new hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:00:16 PM, on 5/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    c:\winnt\system32\config\ens\runntserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program\Apoint\Apntex.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
    C:\Program\INTERN~2\inetsvc.exe
    C:\Program\INTERN~2\inetmgr.exe
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [windows] hkey.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi zorralarousse,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)

    O4 - HKLM\..\Run: [windows] hkey.exe

    O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe

    Then reboot into safe mode and delete:
    C:\Program\INTERNET KEYWORD <= entire folder

    Regards,

    Pieter
     
  7. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    hello pieter,
    I followed your advices, removed the items and the folder, everything seems to work much better now!

    revop.c is gone I think, and I thank you for this!

    I run avg witch didn't find anything, nether Housecall, but panda fond 5 viruses (!) and fixed 3 of them. one virus [Bck/Iroffer.E] is uncleanable in 2 different files witch I can't see in the explorer, do you think I should bother about it?
    Here's the log of panda:


    Virus:Exploit/iFrame Disinfected C:\Documents and Settings\yvan\Lokala inställningar\Temporary Internet Files\Content.IE5\G5CQPN6C\wbk13.tmp
    Virus:Bck/Iroffer.E No disinfected C:\Program Files\anti-virus\trojanscanner\TDS3\xDynamic\TDS.Unpk\xkit.exe[NTFS32.exe]
    Virus:Bck/Iroffer.E No disinfected C:\WINDOWS\Temp\xkit.exe[NTFS32.exe]
    Virus:W32/Bagle.pwdzip Disinfected Lokala mappar\Inkorgen\Warning about your e-mail account.\Info.zip
    Virus:W32/Netsky.P.worm Disinfected Lokala mappar\Inkorgen\Stolen document\document342.exe __________________________________

    here's a new hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:54:27 PM, on 5/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program\Dell\AccessDirect\dadapp.exe
    C:\Program\Apoint\Apoint.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program\Dell\AccessDirect\DadTray.exe
    C:\Program\Apoint\Apntex.exe
    C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program\WinZip\WZQKPICK.EXE
    C:\Program\hardcopy\hardcopy.exe
    C:\PROGRA~1\ANTI-V~1\AVGANT~1\AVGCC32.EXE
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\anti-virus\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
    O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
    O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
    O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
    O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
    O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
    O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

    __________________________________________

    Tell me if you think I still can improve things,

    Thank you very much for all your help,

    zorra [ :)]
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  9. zorralarousse

    zorralarousse Registered Member

    Joined:
    May 17, 2004
    Posts:
    5
    Once again, thank you for all Pieter...
    ... and happy birthday[MOVE]!!!!!![/MOVE]


    Zorralarousse
     
Thread Status:
Not open for further replies.