Trojan horse Lop.as lo1[1]

[min0330]

Hi, I've been reading many posts to fix the problem, but a message from AVG keeps popping out sayingTrojan Horse found in:

C:\Documents and Settings\mine\Local Settings\Temporary Internet Files\Content.IE5\**different folders**\****Different set of letters and numbers***lo1[1]

I keeps clicking "heal" but it just looks like the file's been deleted and redownloaded.

It seems like the same problem kramer1113's encountered.

I've downloaded all the programs you instructed, and run CCleaner. I've rooted into safe mode last night and run AVG antivirus, Ad-ware, SS&D and Ccleaner. None of them found the trojan. I thought it's been removed but when I rebooted into normal mode, the message just keeps popping out.

Please help!! Thanx.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[min0330]

ok, I've done all the scanning and the logs for Hijackthis and AVG antispyware are attached. My system in this computer is in Chinese so some software such as yahoo toolbar is shown in Chinese, but I guess it wouldn't be a problem.

Well, thanx again. And hopefully I will be able to get rid of this annoying trojan soon

 

[howard_hopkinso]

Delete all files in AVG Antispyware.

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\system32\cbxvuvs.dll

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[min0330]

here's the log file.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

UERS_0001_N68M1801NetInstaller.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {B810FAA9-AA2C-4332-8486-FF7D81DD842B} - C:\WINDOWS\system32\cbxvuvs.dll (file missing)

O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe" -nag

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O8 - Extra context menu item: ¤U¸ü½s½X¤º®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_text.html

O8 - Extra context menu item: ¤U¸ü½s½XÀɮפº®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_url.html

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mine\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\IMVU\Run IMVU.lnk (file missing)

O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB

O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

O16 - DPF: {578F2299-722B-4246-9AEB-56885F8AB1EF} (JoyhuntingSmart Control) - http://211.239.124.219/InstallFiles/JoySmartCtrl.cab

O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://crzycoconuts.myphotoalbum.com/EasyUploadTool.cab

O16 - DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} (NCWeb.Launcher) - http://www.lineage2.co.kr/common/ocx/ncweb.cab

O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O16 - DPF: {AC895D0C-3C1F-4442-B7A4-C5B275589BF0} (ek21ctl Class) - http://www.ek21.com/activex/ek21.dll

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.globosoft.info/globobar.cab

O16 - DPF: {E069F6B2-016E-4550-B18E-92DD72DCB567} (EOICrypt Class) - https://www.b2bank.com.tw/b2bank/LinkwayCrypt.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{65B27B44-90E2-4D41-8630-F85C5876F814}: NameServer = 203.31.48.7 203.31.48.11<Only fix this if it doesn`t belong to your ISP.

O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard

This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[min0330]

sorry for late reply....here's the latest log file.
thanx

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

UERS_0001_N68M1801NetInstaller.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {B810FAA9-AA2C-4332-8486-FF7D81DD842B} - C:\WINDOWS\system32\cbxvuvs.dll (file missing)

O4 - HKLM\..\Run: [NI.UERS_0001_N68M1801] "C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe" -nag

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O8 - Extra context menu item: ¤U¸ü½s½X¤º®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_text.html

O8 - Extra context menu item: ¤U¸ü½s½XÀɮפº®e(&D.S.Lite) - D:\Downloads\DSLite2\dl_url.html

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mine\¡u¶}©l¡v¥\¯àªí\µ{¦¡¶°\IMVU\Run IMVU.lnk (file missing)

O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co.kr/boxmedia/ctrl_down/BMSpeedCheck.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} (CathayMyATM.ATMFunc) - https://www.mybank.com.tw/myatm/cab/CathayMyATM.CAB

O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

O16 - DPF: {578F2299-722B-4246-9AEB-56885F8AB1EF} (JoyhuntingSmart Control) - http://211.239.124.219/InstallFiles/JoySmartCtrl.cab

O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://crzycoconuts.myphotoalbum.com/EasyUploadTool.cab

O16 - DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} (NCWeb.Launcher) - http://www.lineage2.co.kr/common/ocx/ncweb.cab

O16 - DPF: {913BF18F-672D-4676-9855-F9A192A88886} (IMBCContents Control) - http://touch.imbc.com/ocx/Online.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O16 - DPF: {AC895D0C-3C1F-4442-B7A4-C5B275589BF0} (ek21ctl Class) - http://www.ek21.com/activex/ek21.dll

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.globosoft.info/globobar.cab

O16 - DPF: {E069F6B2-016E-4550-B18E-92DD72DCB567} (EOICrypt Class) - https://www.b2bank.com.tw/b2bank/LinkwayCrypt.cab

O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of min0330 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.