[alienadam]

Hey guys i just had a couple of viruses and i think i cleaned them up right but i need someone to look at my HTJ log file
I got all these at the same time
(I had AWD_BARGBUDDY.A, AWD_NCASE.A, AND TROJ_REVOP.A)

Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMOAGENT.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Antivirus\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/160055d179220e26d901/netzip/RdxIE601.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

 

[Flrman1]

Fix this one:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/160055d...ip/RdxIE601.cab

Restart.

 

[alienadam]

Hey ill do that but i take it back i didnt get rid of the torjen that started all this and now it is back or something bcause i have every program i got rid of back heres my hijack this log now i hope i can get rid of this thing. It oesnt let me access the internet al the time and stuff well her it is

Logfile of HijackThis v1.97.7
Scan saved at 7:10:07 AM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMOAGENT.EXE
C:\PROGRAM FILES\LYCOS\IEAGENT\LOADER.EXE
C:\WINDOWS\BAO8JJUL.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\CALSDR.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH13218.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Antivirus\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [BAO8JJUL.EXE] C:\WINDOWS\BAO8JJUL.EXE /dk
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O4 - HKCU\..\Run: [BAO8JJUL.EXE] C:\WINDOWS\BAO8JJUL.EXE /dk
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: X0M0LVIO.lnk = C:\WINDOWS\x0m0lvio.exe
O4 - Startup: 51VHCEF0.lnk = C:\WINDOWS\51vhcef0.exe
O4 - Startup: BAO8JJUL.lnk = C:\WINDOWS\bao8jjul.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: X0M0LVIO.lnk = C:\WINDOWS\x0m0lvio.exe
O4 - Global Startup: 51VHCEF0.lnk = C:\WINDOWS\51vhcef0.exe
O4 - Global Startup: BAO8JJUL.lnk = C:\WINDOWS\bao8jjul.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/160055d179220e26d901/netzip/RdxIE601.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

I am having trouble getting rid of the trojen as well the name of it is Troj_revop.A (that is with Trendmicro) one more note.... i have it quarentened should i delete it? (one more thing if forgot to add.. unless i let
browserhelper.dll, bxxx5.dll, csie.dll, sidesearch13218.dll access the internet then i cannot it keeps asking to acess other aplications too like my briefcase for instance thanks for all the help

 

[Flrman1]

Now I'm going to ask you to boot to safe mode to do these fixes with HJT so you will need to copy theses instructions to notepad.

Boot to safe mode:

How to start your computer in safe mode.

In safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\CALSDR.DLL

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH13218.DLL

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKLM\..\Run: [BAO8JJUL.EXE] C:\WINDOWS\BAO8JJUL.EXE /dk

O4 - HKCU\..\Run: [BAO8JJUL.EXE] C:\WINDOWS\BAO8JJUL.EXE /dk

O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Startup: X0M0LVIO.lnk = C:\WINDOWS\x0m0lvio.exe

O4 - Startup: 51VHCEF0.lnk = C:\WINDOWS\51vhcef0.exe

O4 - Startup: BAO8JJUL.lnk = C:\WINDOWS\bao8jjul.exe

O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Global Startup: X0M0LVIO.lnk = C:\WINDOWS\x0m0lvio.exe

O4 - Global Startup: 51VHCEF0.lnk = C:\WINDOWS\51vhcef0.exe

O4 - Global Startup: BAO8JJUL.lnk = C:\WINDOWS\bao8jjul.exe

O9 - Extra button: Sidesearch (HKLM)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/160055d...ip/RdxIE601.cab

Now open the C:\Windows folder and find and delete these files:

BAO8JJUL.EXE
morze5.exe
51vhcef0.exe
x0m0lvio.exe

Open the C:\Program Files folder and delete the Lycos folder.

Also in the Windows folder find the Temp folder and go to Edit > Select All then Edit > Delete and delete everything in the Temp folder.

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

Boot back to normal and post another log please.

 

[alienadam]

Thanks for the help i think we got it
heres my htj log

Logfile of HijackThis v1.97.7
Scan saved at 12:00:38 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMPROXY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\ANTIVIRUS\TMOAGENT.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3Cmlink] c:\windows\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Antivirus\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

(also i have a question i cant find these files anywhere and they are cluttering my start up list
9ZWIO0VB.EXE
ZIUPQ57J.EXE
X0M0LVIO.EXE
51VHCEFO.EXE
<THERE ARE 2 COPPIES OF THESE>

 

[Flrman1]

The log is clean now! :up:

What do you mean "they are cluttering my start up list" ? You mean they are listed in msconfig?

 

[alienadam]

Yes they are listed in Msconfig

 

[Flrman1]

To permanently remove msconfig startup entries that reside in the registry, from the Start menu, click "Run", enter "regedit" and click "OK". You will find the startup entries in one of the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Note: Any of the above keys that are followed by a "-" (minus sign) represent starup entries that are disabled (unchecked in msconfig).


Warning! Always back up the registry before editing. Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.

 

[alienadam]

I loked in the rededit in the folders you specified and i could not find any of them there paths as stated in the msconfig are:

(there are double entries of all 4 that i have written out)
c:\windows\9ZWIO0VB.EXE
c:\windows\ZIUPQ57J.EXE
c:\windows\X0M0LVIO.EXE
c:\windows\51VHCEFO.EXE

 

[alienadam]

I knowest that sience i got rid of this thing ill be surfing the net and it will just start throwing 'cannot display' or 'action cancled' messages an ideas on that?
one more thing.. i deleted these programs already

 

[Flrman1]

Click Start > Settings > Control Panel, then double-click Add/Remove Programs
On the Install/Uninstall tab, doubleclick "Microsoft Internet Explorer 6 SP1 and Internet Tools", click the Repair Internet Explorer option, and then click OK

 

[alienadam]

Hey thanks for every thing i got rid of it. Only one more question..... How do you get rid of netpals games? i have tried and the uninstaller doesnt work. other then that i think i have a clean system running like before

 

[Flrman1]

I really can't tell you how to remove everything added by those games, but you could delete the corresponding files and folders. Then you would have to clean out the registry entries. You might want to check the website for info on that.

 

[alienadam]

ok thanks ill do that thanks you so much for helping me get rid of that trojen

 

[Flrman1]

You're Welcome!

 

[leoneire]

OH another question what is a HTJ log file! And where can i get mine from?????

 

[Flrman1]

leoneire

I have posted a reply to your thread here:

http://forums.techguy.org/t227776.html

I'm closing this thread.

Anyone else with a similar problem please start a "New Thread".