Help getting rid of "Trojan Horse lop.as"

[melia232]

I think I have done all my homework before posting my own thread:

(1) I have read this (https://www.techspot.com/vb/topic65943.html, and decided to clean

(2) I have followed all these steps: http://forum.grisoft.cz/freeforum/read.php?4,27725,backpage= in safe mode.

(3) I then followed these instructions: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ (Viruses/Spyware/Malware, preliminary removal instructions)
except I did not run succeed in running trend micro housecall. I tried numerous times in both firefox and explorer, and the browser always closed about 5 minutes into it.

I still have AVG Free Edition telling me there is a "threat detected" - Trojan Horse lop.as. I keep telling it to heal, but it keeps coming up. I have run AVG Free numerous times, and the virus always appears again.

I have read this thread on removing the virus I think I have (https://www.techspot.com/vb/topic67881.html, but also read this disclaimer: “This thread is for the use of kramer1113 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum”

I also read instructions about how to post an HJT log here (https://www.techspot.com/vb/topic19133.html)

I have Windows XP SP1, I re-imaged my computer a few days ago, and was going to get SP2 when this happened. So I didn’t want to get SP2 until this problem is resolved. Not sure if that’s the right idea or not.

I would really appreciate any help fixing this.

Thank you,
Melia

View attachment 12768

View attachment 12769

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Sata emulation (mside)<Disable either the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

mside.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Laura Cornish.LAURA\Application Data\Mozilla\Firefox\Profiles\xo9stdrj.default\extensions\{B13721C7-F507-4982-B2 E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Laura Cornish.LAURA\Application Data\Mozilla\Firefox\Profiles/xo9stdrj.default\extensions\{B13721C7-F507-4982-B2 E5-502A71474FED}"

O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINDOWS\system\mside.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system\mside.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :wave: :wave:

This thread is for the use of melia232 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[melia232]

Results

Hi Howard,

Okay, I followed the steps.

Just to let you know:

"O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINDOWS\system\mside.exe (file missing)"

was not in the HJT scan result, and I did not find (and therefore didn't delete) mside.exe. in C:/windows/system/

The only thing I found that seemed similar was MSIDE.EXE-13268BC7.pf which is in c:\WINDOWs\prefetch. I did not delete it. Its last date modified was Jan. 18.

I've attached newest HJT log

Thanks!
Melia[/ATTACH]

 

[howard_hopkinso]

Don`t worry that you couldn`t find the O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINDOWS\system\mside.exe (file missing)"

Your HJT log is now clean.

Have HJT fix this inactive enty.

O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\kdfptghg.dll (file missing)

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of melia232 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[melia232]

Thank you

Thank you very much,
Melia