revop.C is spoiling my life...

zorralarousse · May 17, 2004

can't get rid off revop.C!, help!

AVG pops up constantly saying it finds revopC in Windows/system 32/bdl 114177.exe. Despite several online anti-virus scan, trojan remover, ad-aware and spyboot, revop.C is still coming back...
I am working on a pentium 4, 256 mb ram, 40gb, xp home edition and sygate personal firewall. got sasser for a week, witch seems to be removed, got som gaobot.18.ar also removed. Only revop.C seems to resist.
Some unormal behaviour: windows message coming and saying I'm running out of memory, this without having any big program running... and noticing sometimes problems with run32.dll (?)

here's a hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 1:10:34 PM, on 5/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\winnt\system32\config\ens\runntserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Dell\AccessDirect\dadapp.exe
C:\Program\Apoint\Apoint.exe
C:\Program\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program\COMMON~2\QuickKaz.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Apoint\Apntex.exe
C:\WINDOWS\System32\dlcjqtx.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\lwmqbpg.exe
C:\Program\INTERN~2\inetmgr.exe
C:\Program\Grisoft\AVG6\avgcc32.exe
C:\Program\INTERN~2\inetsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\hardcopy\hardcopy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\anti-virus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [windows] hkey.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [smrtdrv] runtime.exe
O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [windows] hkey.exe
O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

__________________________________________

here's a startup list:

StartupList report, 5/16/2004, 1:11:50 PM
StartupList version: 1.52
Started from : C:\Program Files\anti-virus\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\winnt\system32\config\ens\runntserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Dell\AccessDirect\dadapp.exe
C:\Program\Apoint\Apoint.exe
C:\Program\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program\COMMON~2\QuickKaz.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Apoint\Apntex.exe
C:\WINDOWS\System32\dlcjqtx.exe
C:\WINDOWS\System32\hpdllhost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\lwmqbpg.exe
C:\Program\INTERN~2\inetmgr.exe
C:\Program\Grisoft\AVG6\avgcc32.exe
C:\Program\INTERN~2\inetsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\hardcopy\hardcopy.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\anti-virus\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\yvan\Start-meny\Program\Autostart]
Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
DadApp = C:\Program\Dell\AccessDirect\dadapp.exe
Apoint = C:\Program\Apoint\Apoint.exe
DVDSentry = C:\WINDOWS\System32\DSentry.exe
WorksFUD = C:\Program\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program\Microsoft Works\WkDetect.exe
EM_EXEC = C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
QuickKaz = C:\Program\COMMON~2\QuickKaz.exe
SunJavaUpdateSched = C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
windows = hkey.exe
ashMaiSv = C:\Program\ALWILS~1\Avast4\ashmaisv.exe
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
smrtdrv = runtime.exe
IPv6 Helper Driver = csass.exe
SmcService = C:\Program\Sygate\SPF\smc.exe -startgui
nssysconf = C:\WINDOWS\System32\dlcjqtx.exe
kw3eef76 = rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
li01f948 = rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
000hpdllhost = C:\WINDOWS\System32\hpdllhost.exe
readdb40 = rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
si91e44b = rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
he3e3fc4 = rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
hpsysconf1 = C:\WINDOWS\System32\lwmqbpg.exe
inetmgr = C:\Program\INTERN~2\inetmgr.exe
wm41a398 = rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
iel2cde8 = rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
icdd7ee6 = rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
Video Process = sysconf.exe
AVG_CC = C:\Program\Grisoft\AVG6\avgcc32.exe /startup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

windows = hkey.exe
smrtdrv = runtime.exe
Nt System Kernel = ntsyskrnl.exe
Video Process = sysconf.exe
Config Loader =
Registry Loader =
MS Config Loader =
Microsoft Office =
Microsoft Office Start =
Windows Update =
Windows Backup Configuration =
Microsoft Windows Updater =
Config Loader2 =
Office Startup =
Quicktime Pro 3.0 =
Svhost Loader =
MS Security Hotfix =
Windows Communicator =
Config Loader for Microsoft Windows =
System Loaderav =
ConfiggLoader =
Configuration Loader =
Sound Loader =
Windows Config Manager =
Windows Loader =
Service Controller =
Ms Task =
Windows Explorer =
Mixer =
System Loaderap =
Norton Live Updater =
Windows Update Service =
Update =
Configuration Loading =
MS Config Stream =
Win Init =
Windows Startup =
Windows Media Player =
WindowsFS =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\kw3eef76.dll - {00000000-0000-0000-8835-3EFF76BF2657}
(no name) - C:\WINDOWS\System32\icdd7ee6.dll - {00000000-0000-0000-BFA1-D7EE6696B865}
(no name) - C:\WINDOWS\System32\wm41a398.dll - {00000000-0000-41a3-98CF-00000000168B}
(no name) - C:\WINDOWS\System32\iel2cde8.dll - {00000000-0000-47c5-A90F-2CDE8F7638DB}
(no name) - C:\WINDOWS\System32\he3e3fc4.dll - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09}
(no name) - C:\Program\INTERN~2\inetkw.dll - {046D6EA4-15E3-4b27-8010-45BD78A9219E}
(no name) - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31}
(no name) - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
Payya Tec Popup Killer - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[AltaVista Toolbar]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
CODEBASE = http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM

[AcDcToday Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
CODEBASE = file://C:\Program\AutoCAD 2002\AcDcToday.ocx

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/SassCln.CAB

[NOXLATE-BANR]
InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
CODEBASE = file://C:\Program\AutoCAD 2002\InstBanr.ocx

[InstaFred]
InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
CODEBASE = file://C:\Program\AutoCAD 2002\InstFred.ocx

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\Play365.dll
CODEBASE = http://www.live365.com/players/play365.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[AcPreview Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
CODEBASE = file://C:\Program\AutoCAD 2002\AcPreview.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 9,957 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Could you help me removing the Revop C and possibly other spoilers?
Thanks!

Pieter_Arntz · May 17, 2004

Hi zorralarousse,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {1B0E7716-898E-48cc-9690-4E338E8DE1D3} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINDOWS\System32\kw3eef76.dll
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINDOWS\System32\he3e3fc4.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINDOWS\System32\readdb40.dll
O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINDOWS\System32\si91e44b.dll

O4 - HKLM\..\Run: [QuickKaz] C:\Program\COMMON~2\QuickKaz.exe

O4 - HKLM\..\Run: [windows] hkey.exe

O4 - HKLM\..\Run: [smrtdrv] runtime.exe
O4 - HKLM\..\Run: [IPv6 Helper Driver] csass.exe

O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dlcjqtx.exe
O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINDOWS\System32\kw3eef76.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\System32\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINDOWS\System32\si91e44b.dll,EnableRunDLL32
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\lwmqbpg.exe
O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [Video Process] sysconf.exe

O4 - HKLM\..\RunServices: [windows] hkey.exe
O4 - HKLM\..\RunServices: [smrtdrv] runtime.exe
O4 - HKLM\..\RunServices: [Nt System Kernel] ntsyskrnl.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe

Then reboot and do a online virusscan you will find several listed here: http://www.wilders.org/free_services.htm

Then download TDS-3 from http://www.wilders.org/anti_trojans.htm
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then click System Testing > Full System scan.

Let us know the results. I think your AVG is toast, so you may want to replace or reinstall that.

Regards,

Pieter

zorralarousse · May 17, 2004

hello pieter,
thanks for your advices. I have cleaned the files you've mentioned, ran an online scan (housecall) witch found and deleted 2 viruses: dos_agabot.gen [in windows\system 32\drivers\ETC\hosts] and bat_sasser.A [in windows\system32\cmd.ftp]. Installed upgraded and used TDS-3 witch gave this result:

Scan Control Dumped @ 00:20:17 17-05-04
Positive identification: Adware.CommonName.c
File: c:\program\intern~2\inetmgr.exe

RegVal Trace: DDoS.RAT.Litmus: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Windows=hkey.exe]

Positive identification: Riskware.Firedaemon
File: c:\winnt\system32\config\ens\firedaemon.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\johanna\johannas\kth-la\l+a\kursprogram\l+a_schedule_040113.doc.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\johanna\johannas\kth-la\l+a\papperskorg\l+a_schedule_031211.doc.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\johanna\johannas\privat\brev etc\avanmälan_namnändring_jo.wps.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\johanna\johannas\privat\cv\curri_jo.wps.doc

Positive identification (DLL): Adware.Lz.d (dll)
File: c:\documents and settings\yvan\lokala inställningar\temp\1a0.tmp

Suspicious Filename: Dual extensions
File: c:\documents and settings\yvan\mina dokument\curriculum\curri02.wps.doc

Suspicious Filename: Dual extensions
File: c:\documents and settings\yvan\mina dokument\curriculum\curri_jo.wps.doc

Positive identification (DLL): Adware.CommonName.c (dll)
File: c:\program\internet keyword\inetkw.dll

Positive identification: Adware.CommonName.c
File: c:\program\internet keyword\inetmgr.exe

Positive identification (DLL): Adware.Lz.b (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-319.dll

Positive identification (DLL): Adware.Lz.d (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-335.dll

Positive identification (DLL): Adware.Lz.c (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-439.dll

Positive identification (DLL): Adware.Lz.a (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040512-165452-822.dll

Positive identification (DLL): Adware.Lz.d (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040516-211819-261.dll

Positive identification (DLL): Adware.Lz.b (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-253.dll

Positive identification (DLL): Adware.Lz.a (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-282.dll

Positive identification (DLL): Adware.CommonName.c (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-462.dll

Positive identification (DLL): Adware.Lz.c (dll)
File: c:\program files\anti-virus\hijackthis\backup-20040516-211820-902.dll

Suspicious Filename: Dual extensions
File: c:\program files\sketchup\installsketchup-3[1].0.102.exe

Positive identification: RAT.HelioS 2.0 (UPX.b)
File: c:\temp\antivirus040501\vcleaner.exe

Positive identification (DLL): Adware.BookedSpace.c (dll)
File: c:\windows\bxxs5.dll

Positive identification: Adware.SAH
File: c:\windows\downloaded program files\sahagent_.exe

Positive identification: TrojanDownloader.Win32.IEK
File: c:\windows\system32\aud-cnet1.exe

Positive identification (DLL): Adware.Lz.a (dll)
File: c:\windows\system32\he3e3fc4.dll

Positive identification: Adware.Lz
File: c:\windows\system32\hpdllhost.exe

Positive identification (DLL): Adware.Lz.c (dll)
File: c:\windows\system32\icdd7ee6.dll

Positive identification (DLL): Adware.Lz.b (dll)
File: c:\windows\system32\iel2cde8.dll

Positive identification: Adware.CommonName.c Dropper
File: c:\windows\system32\inetkw.exe

Positive identification: Adware.CommonName.c Dropper.a
File: c:\windows\system32\inetkwsys.exe

Positive identification (DLL): Adware.Lz.d (dll)
File: c:\windows\system32\kw3eef76.dll

Positive identification (DLL): Adware.Lz.e (dll)
File: c:\windows\system32\li01f948.dll

Positive identification: TrojanDownloader.Win32.IEK
File: c:\windows\system32\lwmqbpg.exe

Positive identification (DLL): Adware.Lz.g (dll)
File: c:\windows\system32\readdb40.dll

Positive identification (DLL): Adware.Lz.f (dll)
File: c:\windows\system32\si91e44b.dll

Positive identification: TrojanDownloader.Win32.Vivia.d
File: c:\windows\system32\whistleschk.exe

Positive identification: Riskware.Firedaemon
File: c:\winnt\system32\config\ens\firedaemon.exe

______________________________________

here follows an new hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 12:31:43 AM, on 5/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\winnt\system32\config\ens\runntserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Dell\AccessDirect\dadapp.exe
C:\Program\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program\Dell\AccessDirect\DadTray.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Apoint\Apntex.exe
C:\Program\INTERN~2\inetmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\INTERN~2\inetsvc.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\hardcopy\hardcopy.exe
C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
C:\Program Files\anti-virus\trojanscanner\TDS3\tds-3.exe
C:\Program\Delade filer\L&H Shared\PCMM RealSpeak V1\RSSVR10.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\System32\notepad.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program Files\anti-virus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [windows] hkey.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

_____________________________________________

I reinstalled AVG and when scanning, its finds now:
downloader.vidia.B in windows\system32\DLCJQTX.exe(moved to vault)

______________________________________________

as far as I understand, it seems that revop.C is gone; do you think I still have Sasser?; I have this virus downloader.vidia.B .........

What do you advice me to do?

Pieter_Arntz · May 18, 2004

Have TDS remove all the positive identifications with one exception if you instelled that yourself: Firedaemon
The program itself is harmless buit it can be abused by others.

Then Run HijackThis again and post a new HijackThis log.

Regards,

Pieter

zorralarousse · May 18, 2004

TDS has removed all positive identifications, all except inemgr.exe witch is runnig and witch can't be stopped, inclusive when I try via the task manager.
Here's a new hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 3:00:16 PM, on 5/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
c:\winnt\system32\config\ens\runntserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Dell\AccessDirect\dadapp.exe
C:\Program\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program\Dell\AccessDirect\DadTray.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program\Apoint\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\hardcopy\hardcopy.exe
C:\Program Files\anti-virus\avg antivirus\avgcc32.exe
C:\Program\INTERN~2\inetsvc.exe
C:\Program\INTERN~2\inetmgr.exe
C:\Program Files\anti-virus\hijackthis\HijackThis.exe
C:\WINDOWS\System32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [windows] hkey.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

Pieter_Arntz · May 18, 2004

Hi zorralarousse,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\Program\INTERN~2\inetkw.dll (file missing)

O4 - HKLM\..\Run: [windows] hkey.exe

O4 - HKLM\..\Run: [inetmgr] C:\Program\INTERN~2\inetmgr.exe

Then reboot into safe mode and delete:
C:\Program\INTERNET KEYWORD <= entire folder

Regards,

Pieter

zorralarousse · May 18, 2004

hello pieter,
I followed your advices, removed the items and the folder, everything seems to work much better now!

revop.c is gone I think, and I thank you for this!

I run avg witch didn't find anything, nether Housecall, but panda fond 5 viruses (!) and fixed 3 of them. one virus [Bck/Iroffer.E] is uncleanable in 2 different files witch I can't see in the explorer, do you think I should bother about it?
Here's the log of panda:

Virus:Exploit/iFrame Disinfected C:\Documents and Settings\yvan\Lokala inställningar\Temporary Internet Files\Content.IE5\G5CQPN6C\wbk13.tmp
Virus:Bck/Iroffer.E No disinfected C:\Program Files\anti-virus\trojanscanner\TDS3\xDynamic\TDS.Unpk\xkit.exe[NTFS32.exe]
Virus:Bck/Iroffer.E No disinfected C:\WINDOWS\Temp\xkit.exe[NTFS32.exe]
Virus:W32/Bagle.pwdzip Disinfected Lokala mappar\Inkorgen\Warning about your e-mail account.\Info.zip
Virus:W32/Netsky.P.worm Disinfected Lokala mappar\Inkorgen\Stolen document\document342.exe __________________________________

here's a new hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:54:27 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANTI-V~1\AVGANT~1\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Dell\AccessDirect\dadapp.exe
C:\Program\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program\Dell\AccessDirect\DadTray.exe
C:\Program\Apoint\Apntex.exe
C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\hardcopy\hardcopy.exe
C:\PROGRA~1\ANTI-V~1\AVGANT~1\AVGCC32.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\anti-virus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.sve.chello.se/ssi/welcome/welcome.php?url=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.liberation.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\anti-virus\spyboot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: Payya Tec Popup Killer - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program\PayyaTec\PopupKiller\PopupKiller.dll
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\Program\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\anti-virus\avg antivirus\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: Hardcopy.LNK = C:\Program\hardcopy\hardcopy.exe
O4 - Startup: Iomega Quick Tools NT.lnk = C:\iomega\QUICK.EXE
O4 - Startup: Options de démarrage Iomega.lnk = C:\iomega\STARTNT.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Recherche AltaVista - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Traduction - file://C:\Program\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program\Internet Explorer\Plugins\NPUPano.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.sve.chello.se/ssi/welcome/welcome.php?url=home
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/app/toolbar/cfg/altavista.cab?r=ALVWOM
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx

__________________________________________

Tell me if you think I still can improve things,

Thank you very much for all your help,

zorra [ ]

Pieter_Arntz · May 19, 2004

Hi zorralarousse,

I wouldn't worry about those two. They are both in a place where they will not become active.

So looks like you beat the bugger.

Time to do some reading: https://www.wilderssecurity.com/showthread.php?t=27971

Regards,

Pieter

zorralarousse · May 19, 2004

Once again, thank you for all Pieter...
... and happy birthday[MOVE]!!!!!![/MOVE]

Zorralarousse

Log in or Sign up

revop.C is spoiling my life...

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Log in or Sign up

revop.C is spoiling my life...

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Pieter_Arntz Spyware Veteran

zorralarousse Registered Member

Useful Searches