TechSpot

Trojan horse Lop.as lo1[1]

By min0330
Jan 9, 2007
Topic Status:
Not open for further replies.
  1. Hi, I've been reading many posts to fix the problem, but a message from AVG keeps popping out sayingTrojan Horse found in:

    C:\Documents and Settings\mine\Local Settings\Temporary Internet Files\Content.IE5\**different folders**\****Different set of letters and numbers***lo1[1]

    I keeps clicking "heal" but it just looks like the file's been deleted and redownloaded.

    It seems like the same problem kramer1113's encountered.

    I've downloaded all the programs you instructed, and run CCleaner. I've rooted into safe mode last night and run AVG antivirus, Ad-ware, SS&D and Ccleaner. None of them found the trojan. I thought it's been removed but when I rebooted into normal mode, the message just keeps popping out.

    Please help!! Thanx.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. min0330

    min0330 TS Rookie Topic Starter

    ok, I've done all the scanning and the logs for Hijackthis and AVG antispyware are attached. My system in this computer is in Chinese so some software such as yahoo toolbar is shown in Chinese, but I guess it wouldn't be a problem.

    Well, thanx again. And hopefully I will be able to get rid of this annoying trojan soon :)
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Delete all files in AVG Antispyware.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\system32\cbxvuvs.dll

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. min0330

    min0330 TS Rookie Topic Starter

    here's the log file.
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    UERS_0001_N68M1801NetInstaller.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {B810FAA9-AA2C-4332-8486-FF7D81DD842B} - C:\WINDOWS\system32\cbxvuvs.dll (file missing)

    O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe" -nag

    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

    O8 - Extra context menu item: ¤U¸ü½s½X¤º®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_text.html

    O8 - Extra context menu item: ¤U¸ü½s½XÀɮפº®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_url.html

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mine\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\IMVU\Run IMVU.lnk (file missing)

    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

    O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab

    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

    O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB

    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

    O16 - DPF: {578F2299-722B-4246-9AEB-56885F8AB1EF} (JoyhuntingSmart Control) - http://211.239.124.219/InstallFiles/JoySmartCtrl.cab

    O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://crzycoconuts.myphotoalbum.com/EasyUploadTool.cab

    O16 - DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} (NCWeb.Launcher) - http://www.lineage2.co.kr/common/ocx/ncweb.cab

    O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab

    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

    O16 - DPF: {AC895D0C-3C1F-4442-B7A4-C5B275589BF0} (ek21ctl Class) - http://www.ek21.com/activex/ek21.dll

    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.globosoft.info/globobar.cab

    O16 - DPF: {E069F6B2-016E-4550-B18E-92DD72DCB567} (EOICrypt Class) - https://www.b2bank.com.tw/b2bank/LinkwayCrypt.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{65B27B44-90E2-4D41-8630-F85C5876F814}: NameServer = 203.31.48.7 203.31.48.11<Only fix this if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. min0330

    min0330 TS Rookie Topic Starter

    sorry for late reply....here's the latest log file.
    thanx :)
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    UERS_0001_N68M1801NetInstaller.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {B810FAA9-AA2C-4332-8486-FF7D81DD842B} - C:\WINDOWS\system32\cbxvuvs.dll (file missing)

    O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe" -nag

    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

    O8 - Extra context menu item: ¤U¸ü½s½X¤º®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_text.html

    O8 - Extra context menu item: ¤U¸ü½s½XÀɮפº®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_url.html

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mine\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\IMVU\Run IMVU.lnk (file missing)

    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

    O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab

    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

    O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB

    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

    O16 - DPF: {578F2299-722B-4246-9AEB-56885F8AB1EF} (JoyhuntingSmart Control) - http://211.239.124.219/InstallFiles/JoySmartCtrl.cab

    O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://crzycoconuts.myphotoalbum.com/EasyUploadTool.cab

    O16 - DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} (NCWeb.Launcher) - http://www.lineage2.co.kr/common/ocx/ncweb.cab

    O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab

    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

    O16 - DPF: {AC895D0C-3C1F-4442-B7A4-C5B275589BF0} (ek21ctl Class) - http://www.ek21.com/activex/ek21.dll

    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.globosoft.info/globobar.cab

    O16 - DPF: {E069F6B2-016E-4550-B18E-92DD72DCB567} (EOICrypt Class) - https://www.b2bank.com.tw/b2bank/LinkwayCrypt.cab

    O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.