TechSpot

lop issues - have followed instructions, even reformatted, still there

By richardgatti
Jan 21, 2007
  1. Help!
    bought a second hand laptop, installed AVG Free and kerio, noticed some virus issues that I couldn't seem to shake. So I reformatted using the supplied Toshiba disk, reinstalled windows, avg etc - all was fine for a couple of days, and then I had the same virus problems. Followed the advice on the forum, again, seemed to shake it for a few days, then, bang, same problem. Seems to be something to do with fuelsys.exe, lop, and telecom.exe. At present, something keeps trying to shut down kerio, I get a lot of internet traffic that is nothign to do with me, AVG picks up the odd virus and after connecting to the internet for more than about 10-15 minutes, strange things start happening (the whole computer slows down, task manager won't open, the internet becomes unresponsive).

    I've followed the instructions, logs are attached. Both look to me and Vundo found something and removed it, but already, in typing this something has attacked Kerio...

    Hope you can help
    r

    see attached
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Telecoms Center

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    telcoms.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\telcoms.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\ddcywur.dll
    C:\WINDOWS\system32\fccawuu.dll
    C:\WINDOWS\system32\fccaxvv.dll

    C:\WINDOWS\system32\fccdbcd.dll
    C:\WINDOWS\system32\hggebay.dll
    C:\WINDOWS\system32\hggebxw.dll

    C:\WINDOWS\system32\jkkjgec.dll
    C:\WINDOWS\system32\ljjhihg.dll
    C:\WINDOWS\system32\mljghgh.dll

    C:\WINDOWS\system32\mljjhhe.dll
    C:\WINDOWS\system32\mljjhhf.dll
    C:\WINDOWS\system32\nnnklij.dll

    C:\WINDOWS\system32\rqrrstq.dll
    C:\WINDOWS\system32\ssqoolk.dll
    C:\WINDOWS\system32\ssqqpom.dll

    C:\WINDOWS\system32\urqpmlk.dll
    C:\WINDOWS\system32\vtuvuus.dll
    C:\WINDOWS\system32\xxyvvtu.dll

    C:\WINDOWS\system32\xxyxvsr.dll
    C:\WINDOWS\system32\xxyyvwv.dll

    Once your system has rebooted, rehide your protected OS files.

    Post fresh HJT and AVG Antispyware logs.

    Regards Howard :wave: :wave:

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. richardgatti

    richardgatti TS Rookie Topic Starter

    thanks for the swift response

    AVG is still picking up loads of stuff - logs attached
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    Delete the Killbox backups.

    Have HJT fix these inactive entries.

    O2 - BHO: (no name) - {AC16C3BC-AEBE-4B17-B0AD-D2B7F76DFAB8} - C:\WINDOWS\System32\pmnkkih.dll (file missing)

    O20 - Winlogon Notify: pmnkkih - pmnkkih.dll (file missing)

    Reboot your system.

    Turn off system restore.(XP/ME only) See how HERE.

    Turn system restore back on again. This will have deleted all your old restore points and anything nasty that`s in them. It will also have created a new, clean restore point.

    Other than the above, your system looks clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. richardgatti

    richardgatti TS Rookie Topic Starter

    Thanks!

    Cheers Howard, that seems ok for now - If anything happens, i'll come back looking for some help! you're a star.
    r
     
  6. richardgatti

    richardgatti TS Rookie Topic Starter

    it's back. and this time it's personal

    hi howard. Thanks for your help before, which I thought had solved the problem. I hadn't used the machine for a week or so, and my wife told me it was 'acting funny'. i tried to access the net this morning to update my adaware files, and couldn't even do that. Something is trying to kill kerio (I ended up with seven or eight status icons for kerio, even after it told me it had been shut down), and running the 'preliminary instructions' found both smitfraud and virtuamundo.

    here is my most recent hijack this - seems ok at the moment, but I have a feeling it won't last...
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re right, it is back.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Telecoms Center

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    telcoms.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

    O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\telcoms.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. richardgatti

    richardgatti TS Rookie Topic Starter

    cheers

    ok, have done that, there were no instances of telecoms.exe in either services or process. here's the log
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. richardgatti

    richardgatti TS Rookie Topic Starter

    and guess what. it's back

    found 27 copies of lop this morning with avg.
    my hijack this log shows telecoms.exe again... see attached.
    no other symptoms...
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    telcoms.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\telcoms.exe

    Reboot into normal mode and rehide your protected OS files.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish.

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Go HERE and follow the instructions for AVG Antispyware and Combofix.

    Post the C:\NoLop.log along with fresh HJT, Combofix and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    Are you using a router and what rules do you have for your firewall?

    Go offline until you get it clean and ensure your security measures are active
    before you bring it back online.
     
  13. richardgatti

    richardgatti TS Rookie Topic Starter

    howard,
    thanks for this, but I'm not sure this has worked - i didn't find any traces:

    so no telecoms.exe in my process list,
    no file in my system 32 folder
    no instance of telecoms.exe in my hjt log
    nolop didn't find anything
    combofix has been withdrawn, I get a message saying:
    'The tool, ComboFix has been temporarily withdrawn.

    The author discovered a rootkit infection that will intefere with ComboFix's running.

    This will cause Combofix to be UNSAFE FOR USE on your machine.

    Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL

    Apologies for any inconvenience caused'
    (and incidentally, the link you gave me took me to the preliminary virus removal instructions, and not to combofix).

    here are my avg (which finds 2 other infections)and hjt logs.

    Jo, I'm using the free version of kerio with the default settings, and a usb adsl modem from d-link (model dsl-200) I'm only really online when i'm trying to fix the virus problems! (and then for as short a time as possible)

    regards
    richard
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Combofix was withdrawn for the reasons stated. This was only discovered recently, see HERE for further info.

    Your HJT log is clean.

    Delete all files In AVG Antispyware quarantine.

    I`d like you to download, install and run the AVG Antirootkit programme. Please let me know the results.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. richardgatti

    richardgatti TS Rookie Topic Starter

    no joy

    this finds nothing on the standard or the in depth search...
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, in that case, your system looks clean.

    See how it goes and post back if you have any further problems.

    Regards Howard :)

    This thread is for the use of richardgatti only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. richardgatti

    richardgatti TS Rookie Topic Starter

    well, i hope so, and avg is showing up clean too, but I don't know where it went...
    I'll keep you posted.
    thanks for all your help.
    r
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...