TechSpot

Trojan Lop.as and other nasties - logs attached

By Aonghus
Jan 9, 2007
  1. Hi guys,
    Been reading some of the other threads.
    My only symptoms are AVG messages about Lop.as, Dialer.COH.
    I've performed all the preliminary tests as instructed in the other document and have the two log files:

    View attachment 12397

    View attachment 12398

    Put pasted information into attachments.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with at least one trojan.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    Let me know how you wish to proceed.

    Regards Howard :)

    This thread is for the use of Aonghus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Aonghus

    Aonghus TS Rookie Topic Starter

    Hi Howard,

    My computer doesn't store any particularly sensitive data so I'd like to attempt a clean, but will do a fresh format & install if necessary.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you install this programme yourself? WinPcap If you did, then no problem. However, if you didn`t, you should uninstall it from add remove programmes.

    Delete the Sdfix backups.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\SYSTEM32\winetn32.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    update.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Internet Explorer\update.exe
    C:\Program Files\Common Files\{32196C40-0BB0-6153-1028-050914050161}\Bar888.dll

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of Aonghus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Aonghus

    Aonghus TS Rookie Topic Starter

    I don't remember installing WinPCap. I doubt I'd have any use for it. I uninstalled it. I deleted SDfix backups.

    I deleted winetn32.dll with VundoFix.

    I booted into safe mode and update.exe wasn't running as a process but I found update.exe in the Internet Explorer folder and deleted it.

    The folder in Common Files was there but Bar888.dll wasn't in it.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you delete the folder C:\Program Files\Common Files\{32196C40-0BB0-6153-1028-050914050161} If not, you should do so, after following these instructions in the order they are given.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into vundofix.

    C:\WINDOWS\system32\opnklkj.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    COM+ Messages

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchosts.exe[/b]<Not to be confused with svchost.exe[/b]

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = marlboro:8080<Fix this if you didn`t set this proxy yourself, or you don`t know what it is.

    O2 - BHO: (no name) - AutorunsDisabled - (no file)

    O2 - BHO: (no name) - {58E2DC6D-F00C-4338-91C6-D0F7D2C810D1} - C:\WINDOWS\system32\opnklkj.dll

    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

    O20 - Winlogon Notify: opnklkj - C:\WINDOWS\SYSTEM32\opnklkj.dll

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\svchosts.exe<Not ot be confused with svchost.exe.
    C:\Program Files\Common Files\{32196C40-0BB0-6153-1028-050914050161}<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Aonghus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Aonghus

    Aonghus TS Rookie Topic Starter

    For some reason I don't have a Spybot system tray icon even when the main program is launched so I couldn't perform step 1. Maybe this interfered with later operations.
    I disabled Tea-Timer disabled in the tools section.
    I tried to delete onklkj.dll with VundoFix (while in safe mode), the program said it would attempt to delete the file on reboot, VundoFix launched on boot into normal mode and appeared to clear it.

    I found and fixed all items in HJT except the last one, which wasn't in the HJT list:

    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

    svchosts.exe wasn't in the system32 folder.
    I had already deleted the folder in Common Files.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Have HJT fix this inactive entry.

    O2 - BHO: (no name) - {58E2DC6D-F00C-4338-91C6-D0F7D2C810D1} - C:\WINDOWS\system32\opnklkj.dll (file missing)

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Aonghus only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Aonghus

    Aonghus TS Rookie Topic Starter

    Excellent, no more alerts.
    Thank you Howard very much for your time, effort and expertise!

    Aonghus
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...