MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: TROJ_REVOP.I
October 17, 2019, 02:10:52 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 17, 2019, 02:10:52 AM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: TROJ_REVOP.I  (Read 794 times)
stack
Full Member
***

Karma: +0/-0
Offline Offline

Posts: 50


Bookmark and Share

View Profile
« on: October 13, 2005, 03:45:41 AM »

I wanna say thanks for all the help in the other thread.

This virus is on my older comp and i hear it reproduces itself with newnames everytime you try to delete it
also, this comp has gotten slower from other problems i believe
i ran trendmicro and adaware and got rid of alot of stuff...the only virus on there was this one but can there be others problems slowing my comp?

Logfile of HijackThis v1.99.1
Scan saved at 9:30:58 PM, on 10/11/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\qcsgdh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [geuxtxc] C:\WINDOWS\System32\qcsgdh.exe r
O4 - HKLM\..\RunOnce: [TMRevopI] C:\WINDOWS\tsc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [vi30aut] C:\WINDOWS\System32\vi30aut.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: @Home - {F7524580-3C2C-11D6-AB39-0050BACC8833} - http://home.excite.ca (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: October 14, 2005, 02:50:59 AM »

1. Please download, install, and update the free version ofEwido Security Suite:
 
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful").Exit Ewido. DO NOT scan yet.

2. Please download this revised installer for the Nailfix utility from  Here. DO NOT run it yet.

3. Reboot to Safe Mode

4. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Next, run Ewido again. and click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one.
 If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being.

 When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.Post a new HJT log and the Ewido report




-----------------------------------------------------------------------------------

Go to Start > Run and type: services.msc and OK. Look for the below service:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

When you find it, stop it if it is running, doubleclick on it and change the startup type to Disabled.

Next, go HERE and download SvcProc.reg to your

Desktop. Doubleclick on it to merge it with your Registry and boot into Safe Mode (restart your PC and tap F8 as it restarts)and run Hijack This and check the below entry and click on Fix Checked.

O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKLM\..\Run: [geuxtxc] C:\WINDOWS\System32\qcsgdh.exe r
O4 - HKLM\..\RunOnce: [TMRevopI] C:\WINDOWS\tsc.exe
O4 - HKCU\..\Run: [vi30aut] C:\WINDOWS\System32\vi30aut.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Delete these (red) files/folders

 C:\WINDOWS\etb
C:\WINDOWS\System32\qcsgdh.exe
C:\WINDOWS\tsc.exe
C:\WINDOWS\System32\vi30aut.exe

------------------------------------------

 You really need to make your computer more secure from malware.Before posting the next log I would advise you update your Windows and IE Browser security to SP1 or SP2 .Is there any reason why you dont have it ?.You are wide open to infection with raw XP.Once you hit the net you could get reinfected and that would all be a waste of time after carrying out this cleaning..

http://www.microsoft.com/windowsxp/sp2/default.mspx
http://www.microsoft.com/windowsxp/...p1/default.mspx

« Last Edit: October 14, 2005, 02:53:07 AM by Pancake » Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 07, 2017, 03:52:27 AM