TechSpot

Tormented by lop.AS (I think)

By mrhawk1
Jan 27, 2007
  1. I have been researching/scanning/re-researching and re-rescanning for the past few weeks trying to eradicate this beast. I just ran NoLop after reading another post, but it found no problems.

    I get prompted after boot up to work off-line by IE. In addition, a couple of pop-ups occur after getting a " . . . trying to access a protected item" warning.

    I have attached my latest logs in a zip.

    Ken

    Here's the HJT log from the zip . . .
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Ok . . .

    I've completed the tasks as described in the Preliminaries. However Look2Me did not restart after 1 minute as described (wait several minutes).

    The latest HJT log is attached. Sorry, could get AVG anti-spyware to install (but that's another story).

    I still get prompted to start IE on line after boot up. If I start IE, I get couple of pop-ups prompting for passwords. These appear after a warning dialog that a program is trying to access a "protected item". Therefore I only use Firefox for internet access.

    Please advise.

    Thanks,

    Ken
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I really do need to see an AVG Antispyware log. Please post one in your next reply.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    MySQL
    Microsoft authenticate service (MsaSvc)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msasvc.exe
    Program.exe
    CFD.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com

    O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)

    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm

    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://198.88.234.4:800/iNotes6.cab

    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A93F75C-FF05-4EEC-836C-9C21A16FA99B}: NameServer = 61.123.225.72

    O17 - HKLM\System\CCS\Services\Tcpip\..\{77953F1E-3026-4825-B618-B251D56C8314}: NameServer = 61.123.225.72

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A1B0B4B4-637A-428E-AA12-C05B4C8770C3}: NameServer = 61.123.225.72

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B842E1C8-B3CB-40AA-811A-06CA1C363A10}: NameServer = 61.123.225.72

    Only fix the above 017 entries if they don`t belong to your ISP.

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program.exe
    C:\WINDOWS\system32\msasvc.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Here's the IE prompts and popups . . .

    Screenshots attached.

    Ken
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have removed your .doc file as .doc files can carry viruses.

    Please follow the instructions in my post above, then post the requested log files.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Here we go . ..

    Sorry 'bout the doc file. I followed the latest instructions. The HJT log is attached.

    I did not find 023 - MsaSvc or 023 - MySQL entries in the HJT dialog when run in safe mode. The c:\program.exe and c:\windows\system32\msasvc.exe files were not found.

    I can't install AVG antispyware due to a "licensing conflict" of some sort. I have tried deleting my AVG version and re-installing, but can not delete it. I will need to contact AVG support to get this corrected.

    I ran SSD and it came back clean.

    Thanks for you help and patience,

    Ken
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done, your HJT log is now clean. If and when you get your AVG Antispyware problem sorted out, please post an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Thank you, but I'm still getting the "work offline" and "protected item" pop-ups.

    Any idea what could cause these?

    Ken
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, lets see if we can find any other nasties lurking on your system. This is why I wanted to see an AVG Antispyware log.

    Download and run the Blacklight programme. follow all the instructions carefully.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Attach the Blacklight and combofix logs.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    I ran blbeta and combofix. Blbeta did not produce a log file that I saw. It found 3 hidden items (wav files), but these were old audio files I knew were there.

    I have attached the combofix log.

    Thanks for your help . . . again,

    Ken

    p.s. Don't you ever sleep?

    Sorry, here's the HJT log after running Blacklight and ComboFix.

    Ken
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Blacklight and Combofix are both telling you, you have a rootkit infection.

    Delete the files that Blacklight found as they are infected. If you can`t delete them, run Blacklight again and choose the option to rename them.

    Post a fresh Combofix and HJT log after doing that.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Rootkit . . .

    I re-ran Blacklight and re-named the 3 .wav files. I have attached fresh logs from HJT and ComboFix (zip).

    While scouring the web for references to rootkits, I found a rootkit detection/removal tool from Trend Micro, RootKitBuster v1.6b. I also included a log file from this tool.

    Regards,

    Ken
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Trend Micro, RootKitBuster v1.6b contains only false positives.

    Combofix still finds the presence of a rootkit driver.

    Go HERE and follow the instructions. Please post the results. If we can`t get rid of this soon, you may have no other choice other than a reformat. Some rootkits can be impossible to remove.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    SysClean & AproposFix

    I ran SysClean & AproposFix. Logs are attached.

    It's not looking good.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is still clean.

    The AproposFix. Log shows nothing. Did you run the rest of the tools/programmes in the thread? If you did, please let me know the results.

    If you didn`t, please do so and let me know the results.

    I`d also like you to download and run this tool. Rustock.b-fix

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Let's give these logs a go . . .

    The Gromozone tool found no infections.

    Ken
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions, just to make sure the Rustock rootkit has gone.

    Then, boot into safe mode and do the following.

    Delete this bold directory.

    C:\Documents and Settings\Dad\My Documents\TechSupport<Delete the entire folder.

    Empty your recycle bin.

    Let me know the results and how your system is running.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. mrhawk1

    mrhawk1 TS Rookie Topic Starter

    Howare,

    I followed the latest instructions using Reanimator and deleted the TechSupport directory. My logs are attached. I believe I still have the infection.

    Unless you've got another ace up your sleeve, I'll re-image the drive from a back-up I made on 1/1/07. (Thank goodness for ghost.)

    You've been EXTREMELY patient with me. I've learned alot about virus detection and elimination (and how to avoid them).

    Thanks again,

    Ken
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean. However, Combofix shows your system is riddled with nasty infections..

    I think it`s time you considered doing a reformat and reinstall.

    Regards Howard :)

    This thread is for the use of mrhawk1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...