TROJ_REVOP.A - Please Help with Hijack Log!

Yelraf · Apr 17, 2004

Hi, guys. My pc was recently bombarded with with spyware and ad executables after TRJO_REVOP.A managed to sneak through popup stoppers and Norton. It downloaded itself via a popup and flooded my computer with rubbish. Ad-aware appears to have cleaned up most of the garbage although something still tries to download ("Avenue A, Inc."), leading me to believe that one of the trojans processes is still on my pc. Here's what I'm currently using:

- Stop-the-Pop-Up
- Free Surfer mk II
- SpywareBlaster
- Bazooka
- AVG 6.0
- Spybot
- Ad-aware

Could you please help me out and check out the following Hijack log just to be sure I've rid my computer of any remnants? Thanks!!!

Logfile of HijackThis v1.97.7
Scan saved at 11:15:08 PM, on 4/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Free Surfer\fs20.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\David\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\WK\INTERN~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [RunDLL34] C:\WINDOWS\FONTS\font2\syscnfg.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.smartraveler.com/bos/camera.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{430083C0-FC21-4CEE-A1C6-684B87093218}: NameServer = 151.203.0.85 151.203.0.84

dvk01 · Apr 18, 2004

before doing any of the steps I said to do please find this folder
C:\WINDOWS\FONTS\font2
zip it up & send it to me submit@thespykiller.co.uk so we can see exactly which trojan has infected you

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [RunDLL34] C:\WINDOWS\FONTS\font2\syscnfg.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.smartraveler.com/bos/camera.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tuk...0.20/tukati.cab

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\FONTS\font2\syscnfg.exe and any other .exe files in that folder in fact please delete the font2 subfolder it is all bad and is normally a backdoor trojan that can take over the system so

then
Reboot normally &

I would strongly recommend downloading and running a specialised anti trojan

the antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt

Yelraf · Apr 19, 2004

Hi, dvk01. I just sent you an email with the zipped font2 folder. Anything you may suggest would be very helpful. Thanks again for your quick and effective response!

Yelraf

dvk01 · Apr 20, 2004

at a quick glance it looks like a new mirc backdoor trojan
it's on it's way to several developers to pull apart

nothing I've got is flagging it at the moment, but if it was in that location on your computer it is definitely bad

provided you have deleted the font2 folder it should be ok, but there is an installer in the folder, that hopefully hasn't installed any files anywhere else

please post a new hijackthis log and the report from tds

Edit:

Just got this from Kapersky online scan
font2.zip Archive: ZIP
font2.zip/font2/index.html Ok
font2.zip/font2/iostream.exe Archive: Astrum
font2.zip/font2/iostream.exe/data0001 Packed: UPX
font2.zip/font2/iostream.exe/data0001 Ok
font2.zip/font2/iostream.exe/data0002 Packed: UPX
font2.zip/font2/iostream.exe/data0002 Ok
font2.zip/font2/iostream.exe/data0003 Packed: UPX
font2.zip/font2/iostream.exe/data0003 Ok
font2.zip/font2/iostream.exe/data0004 Packed: UPX
font2.zip/font2/iostream.exe/data0004 Ok
font2.zip/font2/iostream.exe/data0005 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0006 Packed: UPX
font2.zip/font2/iostream.exe/data0006 Ok
font2.zip/font2/iostream.exe/data0007 Ok
font2.zip/font2/iostream.exe/data0008 Ok
font2.zip/font2/iostream.exe/data0009 Infected: Trojan.BAT.DelVbs
font2.zip/font2/iostream.exe/data0010 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0011 Packed: UPX
font2.zip/font2/iostream.exe/data0011 Ok
font2.zip/font2/iostream.exe/data0012 Ok
font2.zip/font2/iostream.exe/data0013 Infected: Backdoor.IRC.Flood.v
font2.zip/font2/iostream.exe/data0014 Infected: Worm.Win32.Randon.r
font2.zip/font2/iostream.exe/data0015 Ok
font2.zip/font2/iostream.exe/data0016 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0017 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0018 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0019 Infected: Backdoor.IRC.Cloner
font2.zip/font2/iostream.exe/data0020 Ok
font2.zip/font2/iostream.exe/data0021 Ok
font2.zip/font2/iostream.exe/data0022 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0023 Ok
font2.zip/font2/iostream.exe/data0024 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0025 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0026 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0027 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0028 Infected: IRC-Worm.Jumpin
font2.zip/font2/iostream.exe/data0029 Ok
font2.zip/font2/moo.dll Packed: UPX
font2.zip/font2/moo.dll Ok
font2.zip/font2/myownservers.dll Ok
font2.zip/font2/odl.ocx Ok
font2.zip/font2/remote.ini Ok
font2.zip/font2/restarter.exe Packed: UPX
font2.zip/font2/restarter.exe Ok
font2.zip/font2/rldmrc.ocx Infected: IRC-Worm.Jumpin
font2.zip/font2/rm.exe Ok
font2.zip/font2/stdlib.exe Packed: UPX
font2.zip/font2/stdlib.exe Ok

Yelraf · Apr 20, 2004

Wow, thanks. I'll obtain a log from Hijack and a TDS report. I haven't deleted the font2 folder and it's contents yet. Shall I delete them now or wait until after I run the logs?

Many thanks,
Yelraf

dvk01 · Apr 20, 2004

delete the fonts 2 folder 1st then do the scans
you might need to be in safe mode to delete the folder

Yelraf · Apr 20, 2004

Okay, I deleted the font2 folder and performed the scans. I couldn't believe what TDS found:

Scan Control Dumped @ 22:31:01 20-04-04
Positive identification: Adware.Apropos.b
File: c:\sys_ai_client_loader.exe

Positive identification (in archive): DDoS.RAT.GT Bot Dropper.IO
File: iostream.exe (In c:\documents and settings\david\desktop\font2.zip)

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5944 bytes
File: c:\my documents\my pictures\030316-1100-46.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8296 bytes
File: c:\my documents\my pictures\2004 acura tl.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6428 bytes
File: c:\my documents\my pictures\43880015.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4692 bytes
File: c:\my documents\my pictures\blckmrno.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 11412 bytes
File: c:\my documents\my pictures\cg1_patriots.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4984 bytes
File: c:\my documents\my pictures\chase.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9560 bytes
File: c:\my documents\my pictures\employee_outhouse.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6224 bytes
File: c:\my documents\my pictures\grande baroque.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4844 bytes
File: c:\my documents\my pictures\jerry.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9700 bytes
File: c:\my documents\my pictures\michaelangelo.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6892 bytes
File: c:\my documents\my pictures\outhouse.gif:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 9924 bytes
File: c:\my documents\my pictures\outhousebarn.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4592 bytes
File: c:\my documents\my pictures\sample.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3908 bytes
File: c:\my documents\my pictures\silver palace zoom.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7888 bytes
File: c:\my documents\my pictures\silver palace.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 4800 bytes
File: c:\my documents\my pictures\silvmrno.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 6696 bytes
File: c:\my documents\my pictures\suzi_shower7.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 10736 bytes
File: c:\my documents\my pictures\ts3_cinderella_4_lg.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 8072 bytes
File: c:\my documents\my pictures\urquell.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7636 bytes
File: c:\my documents\my pictures\wicked pissah1.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3916 bytes
File: c:\my documents\my pictures\wp.jpg:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3248 bytes
File: c:\my documents\my pictures\microsoft clip organizer\sy00307_.wmf:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 3272 bytes
File: c:\my documents\my pictures\microsoft clip organizer\sy00309_.wmf:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5096 bytes
File: c:\my documents\my pictures\microsoft clip organizer\sy01124_.wmf:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 5304 bytes
File: c:\my documents\my pictures\microsoft clip organizer\sy01126_.wmf:q30lsldxjoudresxaaaqpcawxc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 7756 bytes
File: c:\my pictures\miscellaneous\uncle ricky.jpg:q30lsldxjoudresxaaaqpcawxc

Positive identification: DDoS.RAT.GT Bot Dropper.IO
File: c:\windows\system32\iostream.exe

Here is my updated Hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 10:34:37 PM, on 4/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WrOS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Free Surfer\fs20.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\David\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\WK\INTERN~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.63-DELEON.DLL/cmtrans.html
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{430083C0-FC21-4CEE-A1C6-684B87093218}: NameServer = 151.203.0.85 151.203.0.84

On a side not, the first folder on my C: drive is called:

C:\$VAULT$.AVG
00000001.FIL
00000002.FIL
00000003.FIL
00000004.FIL
00000005.FIL

The .FIL extensions are the hidden files inside the folder. I wasn't sure if this was a anything to add but wanted to bring it up just in case.

Let me know if there's anything else I can do!

Regards,
Yelraf

Yelraf · Apr 20, 2004

Dvk01, false alarm on the $VAULT$ folder. That's just part of my AVG Antivirus...

dvk01 · Apr 21, 2004

ignore all the ntfs ads entries they are OK

but let TDS FIX

Positive identification: Adware.Apropos.b
File: c:\sys_ai_client_loader.exe

Positive identification (in archive): DDoS.RAT.GT Bot Dropper.IO
File: iostream.exe (In c:\documents and settings\david\desktop\font2.zip)

Positive identification: DDoS.RAT.GT Bot Dropper.IO
File: c:\windows\system32\iostream.exe

then make sure you delete the font2.zip from the desktop and empty recycle bin afterwards

Yelraf · Apr 21, 2004

Okay. Being unfamiliar with TDS-3, how do I fix the 3 problems I have with it? Is there are particular function that will clean these items for me?
Thanks...

dvk01 · Apr 22, 2004

run the tds scan again unless it is still open with the items showing, and when the items appear in the bottom window, right click the bad ones and select delete

Yelraf · Apr 22, 2004

It's as simple as a right-click and delete, huh? Great, I'll give that a shot tonight. Lastly, should I be concerned at all with the Alternate Data Streams or are they essentially harmless and non-threatening?

Thanks for all your help. I really do appreciate it!

dvk01 · Apr 22, 2004

Nothing to wory about normally with alternate data streams when they are in a jpg or other picture file. It's just the way that woindows and XP in particular carries some additional information

the Alternate Data Streams you need to investigate are those attached to any .exe file or any file that can be run like a dll

Log in or Sign up

TROJ_REVOP.A - Please Help with Hijack Log!

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Log in or Sign up

TROJ_REVOP.A - Please Help with Hijack Log!

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Yelraf Registered Member

dvk01 Global Moderator

Useful Searches